git: 9f6c794ee2ed - main - NanoBSD/rescue: Update to 20200214 OpenSSH configuration files
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 19 Nov 2021 05:57:06 UTC
The branch main has been updated by imp:
URL: https://cgit.FreeBSD.org/src/commit/?id=9f6c794ee2ed91f65b570176d3eb729777817bc4
commit 9f6c794ee2ed91f65b570176d3eb729777817bc4
Author: Jose Luis Duran <jlduran@gmail.com>
AuthorDate: 2021-07-16 17:17:30 +0000
Commit: Warner Losh <imp@FreeBSD.org>
CommitDate: 2021-11-19 05:55:46 +0000
NanoBSD/rescue: Update to 20200214 OpenSSH configuration files
No functional change intended.
---
.../tools/nanobsd/rescue/Files/etc/ssh/ssh_config | 19 ++++----
.../tools/nanobsd/rescue/Files/etc/ssh/sshd_config | 52 ++++++++++++----------
2 files changed, 39 insertions(+), 32 deletions(-)
diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
index 07e4086bbbbb..e7d969abed25 100644
--- a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
+++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
+# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
# $FreeBSD$
# This is the ssh client system-wide configuration file. See
@@ -21,8 +21,6 @@
# Host *
# ForwardAgent no
# ForwardX11 no
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -32,15 +30,20 @@
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
# Port 22
-# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+# Protocol 2
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
-# VersionAddendum FreeBSD-20061110
+# VisualHostKey no
+# ProxyCommand ssh -q -W %h:%p gateway.example.com
+# RekeyLimit 1G 1h
+# VerifyHostKeyDNS yes
+# VersionAddendum FreeBSD-20200214
diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
index 96572d967e9b..23eec590c9eb 100644
--- a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
+++ b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# $FreeBSD$
# This is the sshd server system-wide configuration file. See
@@ -8,31 +8,25 @@
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
-#VersionAddendum FreeBSD-20061110
-
#Port 22
-#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
+# Ciphers and keying
+#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
@@ -42,17 +36,23 @@
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
+#MaxSessions 10
-#RSAAuthentication yes
#PubkeyAuthentication yes
-#AuthorizedKeysFile .ssh/authorized_keys
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -75,37 +75,40 @@ PermitRootLogin yes
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
+# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
-PermitRootLogin yes
+# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
+#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
#PermitTunnel no
+#ChrootDirectory none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20200214
# no default banner path
-#Banner /some/path
+#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
@@ -114,4 +117,5 @@ Subsystem sftp /usr/libexec/sftp-server
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# PermitTTY no
# ForceCommand cvs server