diff mbox series

[1/2,v3] add hardened SSH server configuration

Message ID	0f061eff-7d1b-b54a-f5d0-a5dcd32d6b2c@link38.eu
State	Superseded
Headers	Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 05EC061529 for <patchwork@web02.i.ipfire.org>; Sun, 9 Sep 2018 18:47:32 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id B196A1096134; Sun, 9 Sep 2018 17:47:31 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 2EB42109370B for <development@lists.ipfire.org>; Sun, 9 Sep 2018 17:47:29 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1536511646; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=fjZR35RNjZ8V2P31Fp5xjABJdgijSSOlsEcmwZXUKJY=; b=JFZqWOv9PyFno5qo9/n05TwzN0I4hncFCS6ORjYPicqVGTl8cRvqXWCEHUQcPsyPSRcUfy n92dxS3lGis3qFaGCIV+8P7+tu4DzgQD8qzNAWTN39lby83ThGGVfXAHQdnhzMLgkiixrj uuuvQLs2B+1jrfP/1dpmQKRxh0xbn6Xjq/N8TBfUBVYPI16/36ma18ooHFBQvb5vhEsokg 2QNseJjXA0399Wjhvk59XRqNXoXZ6gipEF9R3OYUOUY1V2fLtugdTt46+EDzhJH+P2nnfB tyRZXmmPwlejsMq+Cl+lilDGg+9HQDAnNORD5Q67S/HOHQ3cxyslN0U6WZzo5Q== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Openpgp: preference=signencrypt Autocrypt: addr=peter.mueller@link38.eu; prefer-encrypt=mutual; keydata= xsFNBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABzSdQZXRlciBNw7xs bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT7CwX8EEwECACkFAlrlh/UCGyMFCQlmAYAH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn xLcWumkZ12YKmtixuM7BTQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA AcLBZQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m eNtEia+FigGVqn+PSQ== Subject: [PATCH 1/2 v3] add hardened SSH server configuration Message-ID: <0f061eff-7d1b-b54a-f5d0-a5dcd32d6b2c@link38.eu> Date: Sun, 9 Sep 2018 18:47:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-12.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; DKIM_TRACE(0.00)[link38.eu:+]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; NEURAL_HAM(-3.00)[-1.000,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 2a03:4000::/32(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-12.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/2,v3] add hardened SSH server configuration \| [1/2,v3] add hardened SSH server configuration [2/2,v3] use custom SSH client configuration in LFS file

Commit Message

Peter Müller Sept. 10, 2018, 2:47 a.m. UTC

  In order to harden OpenSSH server in IPFire, using the upstream default configuration
and edit it via sed commands in LFS file is error-prone and does not scale.

Thereof we ship a custom and more secure OpenSSH server configuration which
is copied into the image during build time.

The third version of this patch corrects default value where no root login was
possible (default is "prohibit-password") on default installations. It also
enables password-based authentication by default so rewriting this during
startup becomes obsolete.

Fixes #11750
Fixes #11751
Partially fixes #11538

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Cc: Marcel Lorenz <marcel.lorenz@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
---
 config/ssh/sshd_config | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 config/ssh/sshd_config

Comments

Michael Tremer Sept. 10, 2018, 3:24 a.m. UTC | #1

On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
> In order to harden OpenSSH server in IPFire, using the upstream default
> configuration
> and edit it via sed commands in LFS file is error-prone and does not scale.
> 
> Thereof we ship a custom and more secure OpenSSH server configuration which
> is copied into the image during build time.
> 
> The third version of this patch corrects default value where no root login was
> possible (default is "prohibit-password") on default installations. It also
> enables password-based authentication by default so rewriting this during
> startup becomes obsolete.
> 
> Fixes #11750
> Fixes #11751
> Partially fixes #11538
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> Cc: Marcel Lorenz <marcel.lorenz@ipfire.org>
> Cc: Michael Tremer <michael.tremer@ipfire.org>
> ---
>  config/ssh/sshd_config | 82
> ++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 82 insertions(+)
>  create mode 100644 config/ssh/sshd_config
> 
> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
> new file mode 100644
> index 000000000..8b8e042c4
> --- /dev/null
> +++ b/config/ssh/sshd_config
> @@ -0,0 +1,82 @@
> +# ultra-secure OpenSSH server configuration
> +
> +# only allow version 2 of SSH protocol
> +Protocol 2
> +
> +# listen on port 22 by default
> +Port 22
> +
> +# listen on these interfaces and protocols
> +AddressFamily any
> +ListenAddress 0.0.0.0
> +ListenAddress ::
> +
> +# limit authentication thresholds
> +LoginGraceTime 30s
> +MaxAuthTries 3
> +
> +# limit maximum instanctes to prevent DoS
> +MaxStartups 5
> +
> +# ensure proper logging
> +SyslogFacility AUTH
> +LogLevel INFO
> +
> +# enforce permission checks before a login is accepted
> +# (prevents damage because of hacked systems with world-writeable
> +# home directories or similar)
> +StrictModes yes
> +
> +# only allow safe crypto algorithms (may break some _very_ outdated clients)
> +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
> +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-
> sha256
> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
> aes128-gcm@openssh.com
> +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
> umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
> +
> +# enable data compression after successful login only
> +Compression delayed
> +
> +# only allow cryptographically safe SSH host keys (adjust paths if needed)
> +HostKey /etc/ssh/ssh_host_ed25519_key
> +HostKey /etc/ssh/ssh_host_ecdsa_key
> +HostKey /etc/ssh/ssh_host_rsa_key
> +
> +# only allow login via public key by default
> +PubkeyAuthentication yes
> +PasswordAuthentication yes

We cannot enable PasswordAuthentication in the image by default.

> +ChallengeResponseAuthentication no
> +PermitEmptyPasswords no
> +
> +# permit root login as there is no other user in IPFire 2.x
> +PermitRootLogin yes
> +
> +# specify preferred authentication methods (public keys come first)
> +AuthenticationMethods publickey,password
> +
> +# ignore user ~/.rhost* files
> +IgnoreRhosts yes
> +
> +# ignore user known hosts file
> +IgnoreUserKnownHosts yes
> +
> +# ignore user environments
> +PermitUserEnvironment no
> +
> +# do not allow any kind of forwarding (provides only low security)
> +# some of them might need to be re-enabled if SSH server is a jump platform
> +X11Forwarding no
> +AllowTcpForwarding no
> +AllowAgentForwarding no
> +PermitTunnel no
> +GatewayPorts no
> +PermitOpen none
> +
> +# detect broken sessions by sending keep-alive messages to
> +# clients (both via TCP and SSH)
> +TCPKeepAlive yes
> +ClientAliveInterval 10
> +
> +# close unresponsive SSH sessions which fail to answer keep-alive
> +ClientAliveCountMax 6
> +
> +# EOF

Michael Tremer Sept. 26, 2018, 10:50 p.m. UTC | #2

On Sun, 2018-09-09 at 18:24 +0100, Michael Tremer wrote:
> On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
> > In order to harden OpenSSH server in IPFire, using the upstream default
> > configuration
> > and edit it via sed commands in LFS file is error-prone and does not scale.
> > 
> > Thereof we ship a custom and more secure OpenSSH server configuration which
> > is copied into the image during build time.
> > 
> > The third version of this patch corrects default value where no root login
> > was
> > possible (default is "prohibit-password") on default installations. It also
> > enables password-based authentication by default so rewriting this during
> > startup becomes obsolete.
> > 
> > Fixes #11750
> > Fixes #11751
> > Partially fixes #11538
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > Cc: Marcel Lorenz <marcel.lorenz@ipfire.org>
> > Cc: Michael Tremer <michael.tremer@ipfire.org>
> > ---
> >  config/ssh/sshd_config | 82
> > ++++++++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 82 insertions(+)
> >  create mode 100644 config/ssh/sshd_config
> > 
> > diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
> > new file mode 100644
> > index 000000000..8b8e042c4
> > --- /dev/null
> > +++ b/config/ssh/sshd_config
> > @@ -0,0 +1,82 @@
> > +# ultra-secure OpenSSH server configuration
> > +
> > +# only allow version 2 of SSH protocol
> > +Protocol 2
> > +
> > +# listen on port 22 by default
> > +Port 22
> > +
> > +# listen on these interfaces and protocols
> > +AddressFamily any
> > +ListenAddress 0.0.0.0
> > +ListenAddress ::
> > +
> > +# limit authentication thresholds
> > +LoginGraceTime 30s
> > +MaxAuthTries 3

Unfortunately I overlooked this line which rendered the final image of Core 124
unusable. With my three host keys, I did not get the password login prompt and
could not login.

This is a huge usability issue and therefore I changed it back to the default of
6.

The current update on the servers ships this change and might render SSH login
impossible for some users. Arne is rebuilding the whole release right now and
will distribute new images soon.

More details are in my commit message:


https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=0a5823db023c32135b1cd3fc9c8a426cd1d70b31

-Michael

> > +
> > +# limit maximum instanctes to prevent DoS
> > +MaxStartups 5
> > +
> > +# ensure proper logging
> > +SyslogFacility AUTH
> > +LogLevel INFO
> > +
> > +# enforce permission checks before a login is accepted
> > +# (prevents damage because of hacked systems with world-writeable
> > +# home directories or similar)
> > +StrictModes yes
> > +
> > +# only allow safe crypto algorithms (may break some _very_ outdated
> > clients)
> > +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
> > +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-
> > sha256
> > +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,
> > aes128-gcm@openssh.com
> > +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
> > umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
> > +
> > +# enable data compression after successful login only
> > +Compression delayed
> > +
> > +# only allow cryptographically safe SSH host keys (adjust paths if needed)
> > +HostKey /etc/ssh/ssh_host_ed25519_key
> > +HostKey /etc/ssh/ssh_host_ecdsa_key
> > +HostKey /etc/ssh/ssh_host_rsa_key
> > +
> > +# only allow login via public key by default
> > +PubkeyAuthentication yes
> > +PasswordAuthentication yes
> 
> We cannot enable PasswordAuthentication in the image by default.
> 
> > +ChallengeResponseAuthentication no
> > +PermitEmptyPasswords no
> > +
> > +# permit root login as there is no other user in IPFire 2.x
> > +PermitRootLogin yes
> > +
> > +# specify preferred authentication methods (public keys come first)
> > +AuthenticationMethods publickey,password
> > +
> > +# ignore user ~/.rhost* files
> > +IgnoreRhosts yes
> > +
> > +# ignore user known hosts file
> > +IgnoreUserKnownHosts yes
> > +
> > +# ignore user environments
> > +PermitUserEnvironment no
> > +
> > +# do not allow any kind of forwarding (provides only low security)
> > +# some of them might need to be re-enabled if SSH server is a jump platform
> > +X11Forwarding no
> > +AllowTcpForwarding no
> > +AllowAgentForwarding no
> > +PermitTunnel no
> > +GatewayPorts no
> > +PermitOpen none
> > +
> > +# detect broken sessions by sending keep-alive messages to
> > +# clients (both via TCP and SSH)
> > +TCPKeepAlive yes
> > +ClientAliveInterval 10
> > +
> > +# close unresponsive SSH sessions which fail to answer keep-alive
> > +ClientAliveCountMax 6
> > +
> > +# EOF

diff mbox series

Patch

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
new file mode 100644
index 000000000..8b8e042c4
--- /dev/null
+++ b/config/ssh/sshd_config
@@ -0,0 +1,82 @@ 
+# ultra-secure OpenSSH server configuration
+
+# only allow version 2 of SSH protocol
+Protocol 2
+
+# listen on port 22 by default
+Port 22
+
+# listen on these interfaces and protocols
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+# limit authentication thresholds
+LoginGraceTime 30s
+MaxAuthTries 3
+
+# limit maximum instanctes to prevent DoS
+MaxStartups 5
+
+# ensure proper logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# enforce permission checks before a login is accepted
+# (prevents damage because of hacked systems with world-writeable
+# home directories or similar)
+StrictModes yes
+
+# only allow safe crypto algorithms (may break some _very_ outdated clients)
+# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# enable data compression after successful login only
+Compression delayed
+
+# only allow cryptographically safe SSH host keys (adjust paths if needed)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# only allow login via public key by default
+PubkeyAuthentication yes
+PasswordAuthentication yes
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+# permit root login as there is no other user in IPFire 2.x
+PermitRootLogin yes
+
+# specify preferred authentication methods (public keys come first)
+AuthenticationMethods publickey,password
+
+# ignore user ~/.rhost* files
+IgnoreRhosts yes
+
+# ignore user known hosts file
+IgnoreUserKnownHosts yes
+
+# ignore user environments
+PermitUserEnvironment no
+
+# do not allow any kind of forwarding (provides only low security)
+# some of them might need to be re-enabled if SSH server is a jump platform
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+GatewayPorts no
+PermitOpen none
+
+# detect broken sessions by sending keep-alive messages to
+# clients (both via TCP and SSH)
+TCPKeepAlive yes
+ClientAliveInterval 10
+
+# close unresponsive SSH sessions which fail to answer keep-alive
+ClientAliveCountMax 6
+
+# EOF