Skip to content

Commit baf011d

Browse files
k4yt3xk4yt3x
committed
hard-coded environment variables, removed deprecated variables, updated cipher orders
1 parent ab1ce20 commit baf011d

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

sshd_config

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,11 @@
11
# Name: K4YT3X Hardened OpenSSH Configuration
22
# Author: K4YT3X
33
# Date Created: October 5, 2020
4-
# Last Updated: October 8, 2020
4+
# Last Updated: October 10, 2020
5+
6+
# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
7+
# available at: https://www.gnu.org/licenses/gpl-3.0.txt
8+
# (C) 2020 K4YT3X
59

610
########## Binding ##########
711

@@ -19,12 +23,17 @@
1923
########## Features ##########
2024

2125
# accept locale-related environment variables
22-
AcceptEnv LANG LC_*
26+
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
27+
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
28+
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
29+
AcceptEnv XMODIFIERS
2330

2431
# disallow ssh-agent forwarding to prevent lateral movement
2532
AllowAgentForwarding no
2633

2734
# prevent TCP ports from being forwarded over SSH tunnels
35+
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
36+
# any user with an interactive login shell can spin up his/her own instance of sshd
2837
AllowTcpForwarding no
2938

3039
# prevent StreamLocal (Unix-domain socket) forwarding
@@ -44,10 +53,6 @@ PermitTunnel no
4453
# suppress MOTD
4554
PrintMotd no
4655

47-
# use kernel sandbox mechanisms where possible in unprivileged processes
48-
# systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere
49-
UsePrivilegeSeparation sandbox
50-
5156
# disable X11 forwarding since it is not necessary
5257
X11Forwarding no
5358

@@ -93,8 +98,8 @@ PubkeyAuthentication yes
9398
# explicitly define cryptography algorithms to avoid the use of weak algorithms
9499
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
95100
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
96-
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
97-
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
101+
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
102+
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
98103

99104
########## Connection Preferences ##########
100105

0 commit comments

Comments
 (0)