{"id":16606846,"url":"https://github.com/k4yt3x/ssh_config","last_synced_at":"2025-10-29T15:32:03.015Z","repository":{"id":106313829,"uuid":"302864866","full_name":"k4yt3x/ssh_config","owner":"k4yt3x","description":"K4YT3X's Hardened OpenSSH Client Configuration","archived":false,"fork":false,"pushed_at":"2024-11-07T23:19:50.000Z","size":31,"stargazers_count":9,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-02-02T02:41:22.454Z","etag":null,"topics":["hardening","linux","openssh","security","ssh"],"latest_commit_sha":null,"homepage":"https://k4t.io/ssh","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k4yt3x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-10T09:26:36.000Z","updated_at":"2024-11-07T23:19:54.000Z","dependencies_parsed_at":"2023-12-21T07:58:02.443Z","dependency_job_id":"62eef171-d67d-4fe0-b78f-0046fd382ee9","html_url":"https://github.com/k4yt3x/ssh_config","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k4yt3x%2Fssh_config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k4yt3x%2Fssh_config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k4yt3x%2Fssh_config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k4yt3x%2Fssh_config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k4yt3x","download_url":"https://codeload.github.com/k4yt3x/ssh_config/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238848269,"owners_count":19540852,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hardening","linux","openssh","security","ssh"],"created_at":"2024-10-12T01:10:28.640Z","updated_at":"2025-10-29T15:32:02.594Z","avatar_url":"https://github.com/k4yt3x.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# K4YT3X's Hardened OpenSSH Client Configuration\n\nThis repository hosts my hardened version of OpenSSH client (\u003e=8.5) configuration file. You will need to modify the configuration according to the error messages if you want to use this configuration for older versions of OpenSSH.\n\n**Please review the configuration file carefully before applying it.** You are responsible for actions done to your own systems. For example, you might want to enable `GSSAPIAuthentication` if you use Kerberos authentication.\n\nIn addition to this configuration, you may also want to check out the [SSH Hardening Guides](https://www.ssh-audit.com/hardening_guides.html).\n\n## Usages\n\nFor convenience, I have pointed the URL `https://kt.ax/ssh` to the `ssh_config` file. You may therefore download the `ssh_config` file with the following command. However, be sure to check the file's integrity after downloading it if you choose to download using this method.\n\n```shell\ncurl -L kt.ax/ssh -o ssh_config\n```\n\n### Method 1: Use as System Default\n\nYou can install this config to `/etc/ssh/ssh_config` to make variables in this configuration the system-wide default values. You may use this method if you would like all users to use these secure settings by default (e.g., as a system administrator).\n\n```shell\n# download the configuration file from GitHub using curl or other methods\ncurl https://raw.githubusercontent.com/k4yt3x/ssh_config/master/ssh_config -o ~/ssh_config\n\n# backup the original ssh_config\nsudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.backup\n\n# edit the original ssh_config file and append the contents of the config file\nsudo vim /etc/ssh/ssh_config\n\n# alternatively, if you are certain that the old config file is useless\n#   you may replace the old ssh_config with the new one\nsudo mv ~/ssh_config /etc/ssh/ssh_config\n\n# make sure the file has the correct ownership and permissions\nsudo chown root:root /etc/ssh/ssh_config\nsudo chmod 644 /etc/ssh/ssh_config\n```\n\n### Method 2: Use as User Default\n\nYou may also install this configuration file for the current user, which overwrites the system default values. You may use this method if you do not have the permissions to change the default configuration file or if you prefer to leave the default values be.\n\n```shell\n# download the configuration file from GitHub using curl or other methods\ncurl https://raw.githubusercontent.com/k4yt3x/ssh_config/master/ssh_config -o ~/ssh_config\n\n# backup the original ssh_config\ncp ~/.ssh/config ~/.ssh/config.backup\n\n# edit the original ssh_config file and append the contents of the config file\nvim ~/.ssh/config\n\n# alternatively, if you are certain that the old config file is useless\n#   you may replace the old ssh_config with the new one\nmv ~/ssh_config ~/.ssh/config\n```\n\n## Deactivating Short Diffie-Hellman Moduli\n\nDiffie-Hellman moduli used for `diffie-hellman-group-exchange-sha256` should be at lest 3072 bits long according to [Mozilla's OpenSSH server hardening guide](https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67). This can be done with the following commands.\n\n```shell\n# backup original moduli file\ncp /etc/ssh/moduli /etc/ssh/moduli.backup\n\n# find lines with moduli \u003e= 3071 bits and save them to moduli.tmp\nawk '$5 \u003e= 3071' /etc/ssh/moduli \u003e /etc/ssh/moduli.tmp\n\n# overwrite original moduli file with the updated one\nmv /etc/ssh/moduli.tmp /etc/ssh/moduli\n```\n\n### Verifying the Changes\n\nYou may want to use the [ssh-audit](https://github.com/jtesta/ssh-audit) script to check your SSH client's cryptographic strength after done configuring it. If you're paranoid like me, you can also run ssh-audit in a Docker container.\n\n```shell\n# clone the repository\ngit clone https://github.com/jtesta/ssh-audit ~/ssh-audit\n\n# launch ssh-audit and listen to local port 2222\npython3 ~/ssh-audit/ssh-audit.py -c\n\n# connect to ssh-audit and check the audit results\nssh -p 2222 127.0.0.1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk4yt3x%2Fssh_config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk4yt3x%2Fssh_config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk4yt3x%2Fssh_config/lists"}