Secure Secure Shell

Good combo (2017-10-12):

Ciphers

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.

LogLevel VERBOSE

Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.

Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l info

Use kernel sandbox mechanisms where possible in unprivileged processes

Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.

UsePrivilegeSeparation sandbox

AllowUsers pi

June 15, 2017 at 11:31:24 PM GMT+2 · permalink

https://stribika.github.io/2015/01/04/secure-secure-shell.html

Filters

Links per page

20 50 100