Welcome to ssh-hardening Discussions!

[jlduran]

👋 Welcome!

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.
• Welcome others and are open-minded. Remember that this is a community we
  build together 💪.

To get started, comment below with an introduction of yourself and tell us about what you do with this community.

[jauntyd]

Hello:
Long time member of this community with not much to speak of for contributions. Anyways, I am a long-time FreeBSD user that uses the (best) OS on a daily basis, on all computers that I own. I value the diversity and inclusive nature of FreeBSD and seek to assist in a productive manner with this discussion.

[joe81tx]

FreeBSD 15.0-RELEASE was officially announced as available today with the note:
OpenSSH has been upgraded to 10.0p2 which includes support for quantum-resistant key agreement by default.

I noticed your current guide covers OpenSSH 9.9 and was updated at the end of June. Are there any changes needed to your guide in order to take advantage of OpenSSH 10.0 and the quantum-resistant key agreement?

[jlduran]

I may need to update the guides for OpenSSH 10.0. Thank you for reminding me!

[jlduran]

Done!

[joe81tx]

What are your thoughts on using /etc/rc.conf instead of modifying /etc/ssh/sshd_config? From what I understand it follows the FreeBSD philosophy of keeping modifications in rc.conf and not touching the default config which could require merging with system updates. Sorry to keep hijacking this thread, I don't have permission to create a new discussion.

sysrc sshd_flags="-o UseDNS=no -o VersionAddendum=none -o KexAlgorithms=sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org -o Ciphers=aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr -o MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com -o HostKeyAlgorithms=sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 -o CASignatureAlgorithms=sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 -o HostbasedAcceptedAlgorithms=sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 -o PubkeyAcceptedAlgorithms=sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256"

[jlduran]

Yes, you can do that as well.
While it is a good idea, this was created to mimic the SSH hardening guides: https://www.sshaudit.com/hardening_guides.html