I recently came across
security/py-ssh-audit@py38. Wielding this tool showed a lot to be improved.
Adding the four lines below to
/etc/ssh/sshd_config, and preferably also to
/etc/ssh/ssh_config, should make your OpenSSH on FreeBSD more suitable to the current threats. This should also be true for OpenSSH 8.7p1, recently added to FreeBSD ‑CURRENT.
Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 KexAlgorithms curve25519-sha256,email@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256 MACs firstname.lastname@example.org,email@example.com,firstname.lastname@example.org
Note, this configuration is only based what is recommended by the tool. Both it and myself could be dead wrong. You have been warned!
https://www.ssh-audit.com/ to scan a system using the “Hardened OpenSSH Server v8.5 (version 1)” policy, the
KexAlgorithms line should read:
We are omitting