My Community Dashboard

  • Advise on Certificates used (SSHD)

    I used openvas to check my security and started to modify my sshd_config to exclude know risks. I though I managed to increase the level by lowering the risk via this config.
    But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
    I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.

    Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?

    AddressFamily inet

    HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    # Ciphers and keying
    #RekeyLimit default none

    ?MACs AnyStd:
    #MACs hmac-sha1,,hmac-ripemd160
    ?KexAlgorithms AnyStd:
    # KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
    ?SSLProtocol all -SSLv2 -SSLv3
    ?ssl_prefer_server_ciphers off;