From 9f6c794ee2ed91f65b570176d3eb729777817bc4 Mon Sep 17 00:00:00 2001 From: Jose Luis Duran Date: Fri, 16 Jul 2021 14:17:30 -0300 Subject: [PATCH] NanoBSD/rescue: Update to 20200214 OpenSSH configuration files No functional change intended. --- .../nanobsd/rescue/Files/etc/ssh/ssh_config | 19 ++++--- .../nanobsd/rescue/Files/etc/ssh/sshd_config | 52 ++++++++++--------- 2 files changed, 39 insertions(+), 32 deletions(-) diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config index 07e4086bbbbb..e7d969abed25 100644 --- a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config +++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # $FreeBSD$ # This is the ssh client system-wide configuration file. See @@ -21,8 +21,6 @@ # Host * # ForwardAgent no # ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no @@ -32,15 +30,20 @@ # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 # Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc +# Protocol 2 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no -# VersionAddendum FreeBSD-20061110 +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# VerifyHostKeyDNS yes +# VersionAddendum FreeBSD-20200214 diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config index 96572d967e9b..23eec590c9eb 100644 --- a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config +++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # $FreeBSD$ # This is the sshd server system-wide configuration file. See @@ -8,31 +8,25 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. -#VersionAddendum FreeBSD-20061110 - #Port 22 -#Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 +# Ciphers and keying +#RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO @@ -42,17 +36,23 @@ PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 +#MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -75,37 +75,40 @@ PermitRootLogin yes #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass -PermitRootLogin yes +# the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes +#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no +#ChrootDirectory none +#UseBlacklist no +#VersionAddendum FreeBSD-20200214 # no default banner path -#Banner /some/path +#Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server @@ -114,4 +117,5 @@ Subsystem sftp /usr/libexec/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server