bsdlabs / ssh-hardening Goto Github PK

If the domain has DNSSEC, recommend the addition of an SSHFP record.

Per upstream sshaudit.com: SSH Client Hardening Guides

• Add client hardening for ~/.ssh/config for supported FreeBSD versions
• Record, confirm and document ssh-audit (PyPI) result reports

Let's wait a few hours/days to re-run all tests.

This will bring the tests back to green.

There have been issues with the uploading of new images to GCE (which is what Cirrus CI uses), see PR 272354.
Let's wait until the dust settles and re-run the failed tests.

The SSH Hardening Guides leverage 4096-bit RSA keys as standard. The command service sshd keygen produces a 3072-bit RSA key.

I acknowledge the practical security of the two (3072, 4096) still puts both of them in the realm of unbreakable.

We'd like FreeBSD SSH Server & Client Hardening Guides upstream and listed on sshaudit.com, ideally in the Official list (find out how).

Submission Instructions: https://github.com/jtesta/ssh-audit/wiki/SSH-Hardening-Guides-Index

Depends-On #2

Client auditing (ssh-audit -c) is not working on FreeBSD.

Upstream has changed the default RSA keys in favor of Ed25519 keys.
To appease a large segment of our audience, do the same for -CURRENT. This should allow us to achieve a 100% score

Add [email protected] and [email protected] to client14.md once libfido2 et al. are wired in (D32448, D32509)

• UsePAM no
• UseDNS no
• VersionAddendum none

For server config, just noting, that the key exchange algorithm diffie-hellman-group14-sha256 is listed as being present in the "Comparative table: Default vs. Hardened" under Hardened config, but it hasn't been included as a key exchange algorithm in the supplied command.