Commit 64359e2e authored by nimrod's avatar nimrod
Browse files

SSH security. 

- Replace the RSA key for GitHub with an ed25519 one.
- Refactor the security configuration in 99_default. Make them easier to
  maintain by sepcifying what *not* to use.
- In the OpenSSH 8.5 release notes it is mentioned that the ssh-rsa
  signature scheme will be deperecated. Be proactive and disable it.
- Replace the RSA key for *.shore.co.il with a ed25519 one (keep to the
  ecdsa so as not to just a single key). Keep it for ea6350, Dropbear in
  OpenWRT 19.07 doesn't support other key types.
parent 7616adf6

.ssh/config.d/20_github

+1 −1
Original line number Diff line number Diff line
@@ -4,4 +4,4 @@ 


Host github.com

User git

IdentityFile ~/Documents/github_rsa
 
IdentityFile ~/Documents/github_ed25519

.ssh/config.d/20_shore

+3 −2
Original line number Diff line number Diff line
@@ -9,13 +9,14 @@ Host host01.shore.co.il ns4.shore.co.il 
LocalForward 9090 localhost:9090



Host ea6350.shore.co.il

IdentityFile ~/Documents/Shore/shore_rsa

User root

LocalForward 8080 localhost:80



Host git.shore.co.il

IdentityFile ~/Documents/Shore/gitlab_ed25519

HostName host01.shore.co.il

Port 2222

IdentityFile ~/Documents/Shore/gitlab_ed25519



Host cgit.shore.co.il

HostName host01.shore.co.il
@@ -26,5 +27,5 @@ Port 2222 


Host *.shore.co.il 192.168.3.*

IdentityFile ~/Documents/Shore/shore_ecdsa

IdentityFile ~/Documents/Shore/shore_rsa

IdentityFile ~/Documents/Shore/shore_ed25519

User nimrod

.ssh/config.d/99_default

+12 −6
Original line number Diff line number Diff line 


# vim:ft=sshconfig

# Copied from

# https://wiki.mozilla.org/Security/Guidelines/OpenSSH?source=techstories.org#Modern

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
# Based on:

# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern

# but instead of specifying what to use (more maintenance especially with

# different OSes and releases), specify what not to use. The baseline is

# ElementaryOS Hera, aka Ubuntu Bionic.

# http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html

Ciphers -aes128-cbc,aes192-cbc,aes256-cbc

HostbasedKeyTypes -ssh-rsa,ssh-rsa-cert-v01@openssh.com

HostKeyAlgorithms -ssh-rsa,ssh-rsa-cert-v01@openssh.com

KexAlgorithms -diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1

PubkeyAcceptedKeyTypes -ssh-rsa-cert-v01@openssh.com,ssh-rsa