Arch - jtesta/ssh-audit GitHub Wiki

Tested against:

  • OpenSSH 10.2

Server

By default Arch does not enable the ssh server. If you already have it enabled you can skip the first step and proceed to the printf command.

sudo systemctl enable sshd --now

printf "KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,[email protected],curve25519-sha256,[email protected]\nCiphers [email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n" | sudo tee /etc/ssh/sshd_config.d/01-hardened-ssh.conf

sudo rm -f /etc/ssh/ssh_host_*
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
sudo systemctl restart sshd

Client

mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n  Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\n\n  KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,[email protected],curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n  MACs [email protected],[email protected],[email protected]\n\n  HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n  CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n  HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n\n  PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n" >> ~/.ssh/config