A typical hardened setup uses the following changes in /etc/ssh/sshd_config:
Code: Select all
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
To actually make changes, we need to modify the current policy, which by default its called.... DEFAULT. The file that contains the crypto policy for sshd is /etc/crypto-policies/back-ends/opensshserver.config, which is a symbolic link to the default policy at /usr/share/crypto-policies/DEFAULT/opensshserver.txt, which we modify as:
Code: Select all
CRYPTO_POLICY='-oCiphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com -oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256@libssh.org -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com'