git: 9f6c794ee2ed - main - NanoBSD/rescue: Update to 20200214 OpenSSH configuration files

From: Warner Losh <imp_at_FreeBSD.org>
Date: Fri, 19 Nov 2021 05:57:06 UTC
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9f6c794ee2ed91f65b570176d3eb729777817bc4

commit 9f6c794ee2ed91f65b570176d3eb729777817bc4
Author:     Jose Luis Duran <jlduran@gmail.com>
AuthorDate: 2021-07-16 17:17:30 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2021-11-19 05:55:46 +0000

    NanoBSD/rescue: Update to 20200214 OpenSSH configuration files
    
    No functional change intended.
---
 .../tools/nanobsd/rescue/Files/etc/ssh/ssh_config  | 19 ++++----
 .../tools/nanobsd/rescue/Files/etc/ssh/sshd_config | 52 ++++++++++++----------
 2 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
index 07e4086bbbbb..e7d969abed25 100644
--- a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
+++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
+#	$OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
 #	$FreeBSD$
 
 # This is the ssh client system-wide configuration file.  See
@@ -21,8 +21,6 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@@ -32,15 +30,20 @@
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+#   Protocol 2
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
-#   VersionAddendum FreeBSD-20061110
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#   VerifyHostKeyDNS yes
+#   VersionAddendum FreeBSD-20200214
diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
index 96572d967e9b..23eec590c9eb 100644
--- a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
+++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 #	$FreeBSD$
 
 # This is the sshd server system-wide configuration file.  See
@@ -8,31 +8,25 @@
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
+# possible, but leave them commented.  Uncommented options override the
 # default value.
 
 # Note that some of FreeBSD's defaults differ from OpenBSD's, and
 # FreeBSD has a few additional options.
 
-#VersionAddendum FreeBSD-20061110
-
 #Port 22
-#Protocol 2
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
+# Ciphers and keying
+#RekeyLimit default none
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
@@ -42,17 +36,23 @@
 PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
+#MaxSessions 10
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
-#AuthorizedKeysFile	.ssh/authorized_keys
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -75,37 +75,40 @@ PermitRootLogin yes
 #GSSAPICleanupCredentials yes
 
 # Set this to 'no' to disable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will 
+# and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
-PermitRootLogin yes
+# the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM yes
 
+#AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+#PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS yes
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
 #PermitTunnel no
+#ChrootDirectory none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20200214
 
 # no default banner path
-#Banner /some/path
+#Banner none
 
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
@@ -114,4 +117,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
+#	PermitTTY no
 #	ForceCommand cvs server