From 66252cb498e09aa0e00c30802910bb602fdf5d41 Mon Sep 17 00:00:00 2001 From: Jean-Pierre PRUNARET Date: Thu, 21 Jul 2016 23:16:27 +0200 Subject: [PATCH] =?UTF-8?q?renforcement=20de=20la=20s=C3=A9curit=C3=A9=20p?= =?UTF-8?q?our=20les=20clients=20SSH?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- environment.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/environment.nix b/environment.nix index 099f271..37c8992 100644 --- a/environment.nix +++ b/environment.nix @@ -54,4 +54,16 @@ promptInit = builtins.readFile ./bash-prompt.sh; interactiveShellInit = builtins.readFile ./bash-interactive-init.sh; }; + + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern + programs.ssh.extraConfig = '' + # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. + HashKnownHosts yes + # Host keys the client accepts - order here is honored by OpenSSH + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + + KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + ''; }