-
Advise on Certificates used (SSHD)
I used openvas to check my security and started to modify my sshd_config to exclude know risks. I though I managed to increase the level by lowering the risk via this config.
But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.
Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?
AddressFamily inet
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
#ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
?MACs AnyStd:
#MACs hmac-sha1,[email protected],hmac-ripemd160
?KexAlgorithms AnyStd:
# KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
?SSLProtocol all -SSLv2 -SSLv3
?SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!EXP:+eNULL:!SSLv2:!SSLv3
?ssl_prefer_server_ciphers off; -