From 20e8e8beaa3858007d9145439aab2ec1cc16ace4 Mon Sep 17 00:00:00 2001 From: Jean-Pierre PRUNARET Date: Thu, 21 Jul 2016 23:38:59 +0200 Subject: [PATCH] =?UTF-8?q?renforcement=20serveur=20SSH=20en=20forcant=20l?= =?UTF-8?q?es=20algos=20r=C3=A9cents=20(selon=20mozilla)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- environment.nix | 1 + services.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/environment.nix b/environment.nix index 37c8992..a0c051c 100644 --- a/environment.nix +++ b/environment.nix @@ -22,6 +22,7 @@ gnupg # GPG gpm # prise en charge de la souris en console htop # monitoring + #libressl # librairie pour faire du TLS et les algorithmes de crypto par OpenBSD ncdu # outil pour voir l'espace utilisé nmap # outil de scan de port réseau mtr # outil de diagnostic réseau diff --git a/services.nix b/services.nix index 94fdbef..667c707 100644 --- a/services.nix +++ b/services.nix @@ -13,6 +13,19 @@ ## OpenSSH daemon services.openssh = { enable = true; + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 + extraConfig = '' + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. + LogLevel VERBOSE + + # Use kernel sandbox mechanisms where possible in unprivilegied processes + # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. + UsePrivilegeSeparation sandbox + ''; }; # Monitoring