SSH updates

peterbraden · Jun 17, 2016 · 7572828 · 7572828
1 parent f98e05c
commit 7572828
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/osx/com.googlecode.iterm2.plist b/osx/com.googlecode.iterm2.plist
@@ -1137,7 +1137,7 @@
 	<key>SUHasLaunchedBefore</key>
 	<true/>
 	<key>SULastCheckTime</key>
-	<date>2016-04-05T14:47:09Z</date>
+	<date>2016-06-08T17:14:24Z</date>
 	<key>SavePasteHistory</key>
 	<false/>
 	<key>ShowBookmarkName</key>
@@ -1171,7 +1171,7 @@
 	<key>WebKitDefaultFontSize</key>
 	<integer>11</integer>
 	<key>WebKitStandardFont</key>
-	<string>.Helvetica Neue DeskInterface</string>
+	<string>.AppleSystemUIFont</string>
 	<key>WindowNumber</key>
 	<true/>
 	<key>WindowStyle</key>

diff --git a/ssh/ssh_config b/ssh/ssh_config
@@ -0,0 +1,22 @@
+
+# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.
+Host github.com
+    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+
+Host *.onion
+    ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050
+
+
+Host *
+    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+    PasswordAuthentication no
+    ChallengeResponseAuthentication no
+    PubkeyAuthentication yes
+    UseRoaming no
+
+# REFERENCES:
+# - https://stribika.github.io/2015/01/04/secure-secure-shell.html
+
diff --git a/ssh/sshd_config b/ssh/sshd_config
@@ -4,10 +4,14 @@
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
- 
+
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+# TODO[https://stribika.github.io/2015/01/04/secure-secure-shell.html] KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
 
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#TODO Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
 
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
@@ -33,7 +37,11 @@ UsePrivilegeSeparation sandbox
 # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
 # "PasswordAuthentication no" is not sufficient!
 #RequiredAuthentications2 publickey,keyboard-interactive:skey
-#PasswordAuthentication no
-#ChallengeResponseAuthentication yes
+
+#TODO PasswordAuthentication no
+#TODO ChallengeResponseAuthentication no
+
 # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
 #UseLogin no
+
+# TODO AllowGroups ssh-user