Date: Sat, 04 Apr 2026 20:08:34 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Freebsd Arch <freebsd-arch@freebsd.org> Subject: Stronger ssh settings Message-ID: <7655dcd5cbd65d9276213dd8d2a25552@Leidinger.net>
index | next in thread | raw e-mail
[-- Attachment #1 --] Hi, I propose to extend our ssh config (and maybe other configs) regarding - settings for government standards - improved FreeBSD defaults Both of them are sort of about the same thing, and at the same time independent from each other, as such I haven'T split it up here. In the example below, I have a patch for improved FreeBSD defaults, and an example of the German BSI recommendation for ssh. I would like to get an idea if one or both is considered a welcome change (there was at least a discussion about improved settings in the lists long ago, which was in favour, but no patch), and if yes additional settings for e.g. FIPS or whatever, and a discussion of what the improved FreeBSD defaults should be (I simply included what I use on my systems, and they should work for connections from and to all supported FreeBSD releases as I have them like that since a long time; an alternative would be to use the exclude syntax instead). My example regarding the topic but not necessary those settings in particular: ---snip--- diff --git crypto/openssh/ssh_config crypto/openssh/ssh_config index cc5663562e95..6ee056876e05 100644 --- crypto/openssh/ssh_config +++ crypto/openssh/ssh_config @@ -17,6 +17,29 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. +### FreeBSD ### +HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +RekeyLimit 1G 1h +### end FreeBSD ### + +### BSI TR-02102-4 as of 2026-01-26 ### +# KexAlgorithms: non-mlkem use up to 2031 +#KexAlgorithms diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,mlkem768x25519-sha256 +#RekeyLimit 1G 1h + +# Ciphers: use up to 2032+ +#Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# MACs: use up to 2032+ +#MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com + +# PubkeyAcceptedAlgorithms: use upto 2032+ +#PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 +### end BSI TR-02102-4 ### + # Host * # ForwardAgent no # ForwardX11 no diff --git crypto/openssh/sshd_config crypto/openssh/sshd_config index 708be7fe2870..7e391e7271be 100644 --- crypto/openssh/sshd_config +++ crypto/openssh/sshd_config @@ -110,6 +110,29 @@ AuthorizedKeysFile .ssh/authorized_keys #UseBlocklist no #VersionAddendum FreeBSD-20250801 +### FreeBSD ### +HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +RekeyLimit 1G 1h +### end FreeBSD ### + +### BSI TR-02102-4 as of 2026-01-26 ### +# KexAlgorithms: non-mlkem use up to 2031 +#KexAlgorithms diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,mlkem768x25519-sha256 +#RekeyLimit 1G 1h + +# Ciphers: use up to 2032+ +#Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# MACs: use up to 2032+ +#MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com + +# PubkeyAcceptedAlgorithms: use up to 2032+ +#PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 +### end BSI TR-02102-4 ### + # no default banner path #Banner none ---snip--- Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmnRU7IACgkQEg2wmwP4 2Ia8og//ZP8v74LKXC2w8Me2AqBe2ciUywtoq5zCQt64gV1lVrL9SzwRLW5iZb0N PcGJ+ewAXbxhcSKA3Pd1cRcUZ7FIR/dvrFhJUyqmolAcWLTlDqmJHyD4gL9clE6k 58Jqu2ZNLnyyS4CvMkgAbcL5ua3BcardPZHvrzqdULKo38tW+tcljDvCNqr9XuMv 9uuU3syzoPP6rdhz4/JJmjf8mc6KifEGFJft2f+PZ+mdSi2mSYzUhk2b7MuTLOWu 6ZvJCu8MjM1zxx1kObKUohZ2FFgLTlAeqxPYSuhDD5nB7NsEt42bo8U0yRPjpRg+ QDLEZKuZrBYwpYieZQepcSFKRc0FtbWuBJcQ/jTpk7ys4nBesqrR1Cmqd4p+BcWl peuoaba36HR0UV4TlxJFDIfHME4c/9l6TkN2vEI85rfSIErL/UOyGKz1y4R9nwlY hbbeVz2OZOpoeOLZ8IFkqRQZbJoitzE7Xhe+RJdFSc/5+VpPPOuIWCQkYg2DM8X4 mwwIpPtgSHHlj8GB8JX7srh0cVskzP6+MW1WLwkKO7e7rXBQxk6vYsyMq9LWF2br 5UskqdLJ3DUVOZFz6JCsbhxY84J68LXJYXNcehZx5PWou8sHTMNXW/FXGJZRksEa 2PrTg1SecWwHxfzc0SYopaR35UrZK8Ulcb8iKPyiFB57WxnB9C8= =+PHm -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7655dcd5cbd65d9276213dd8d2a25552>