diff --git a/FreeBSD-OpenSSH-Hardening-Guides.md b/FreeBSD-OpenSSH-Hardening-Guides.md
index 2ae3aa1..050b9f1 100644
--- a/FreeBSD-OpenSSH-Hardening-Guides.md
+++ b/FreeBSD-OpenSSH-Hardening-Guides.md
@@ -4,20 +4,6 @@
# Server
-## Backup ssh config, install ssh-audit
-
- sudo -s # we need root for most of this
- cp -a /etc/ssh /etc/ssh.bak # backup ssh config just in case
- pkg install -y security/py-ssh-audit # install ssh-audit (you can make intall if you like)
-
-## Enable and start sshd, then run ssh-audit, saving the output
-
- service sshd enable
- service sshd start
- uname -a > ssh-audit.out
- echo "# before hardening" >> ssh-audit.out
- ssh-audit --no-colors localhost >> ssh-audit.out || true
-
## Remove existing key-pairs, disable DSA & ECDSA
rm -f /etc/ssh/ssh_host_*
@@ -40,201 +26,12 @@
printf "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com\n" >> /etc/ssh/sshd_config
-## Restart sshd and run ssh-audit again, appending output
+## Restart sshd
service sshd restart
- echo "# after hardening" >> ssh-audit.out
- ssh-audit --no-colors localhost >> ssh-audit.out
-
-
- Send (pastebin) the contents of ssh-audit.out
-
-```
-FreeBSD cirrus-task-0000000000000000 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n262122-2ef2c26f3f13: Thu Apr 13 12:00:00 UTC 2023 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
-# before hardening
-# general
-(gen) banner: SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
-(gen) software: OpenSSH 9.3 running on FreeBSD (2023-03-16)
-(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+
-(gen) compression: enabled (zlib@openssh.com)
-
-# key exchange algorithms
-(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
-(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
- `- [info] default key exchange since OpenSSH 6.4
-(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
- `- [info] default key exchange since OpenSSH 6.4
-(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
- `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
- `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
- `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
- `- [info] available since OpenSSH 4.4
- `- [info] A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)
-(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
-(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
-(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
- `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
-
-# host-key algorithms
-(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
-(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
-(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
- `- [warn] using weak random number generator could reveal the key
- `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
-(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
-
-# encryption algorithms (ciphers)
-(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
- `- [info] default cipher since OpenSSH 6.9
-(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-(enc) aes192-ctr -- [info] available since OpenSSH 3.7
-(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
-(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
-
-# message authentication code algorithms
-(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
- `- [info] available since OpenSSH 6.2
-(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm
- `- [info] available since OpenSSH 6.2
-(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
- `- [warn] using small 64-bit tag size
- `- [info] available since OpenSSH 4.7
-(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
- `- [info] available since OpenSSH 6.2
-(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
- `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
-(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
- `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
-(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
- `- [warn] using encrypt-and-MAC mode
- `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
-
-# fingerprints
-(fin) ssh-ed25519: SHA256://vc4mr/g2BTKIdK3NERXkgPB2N3eUWu1w9ogRzl+jU
-(fin) ssh-rsa: SHA256:LTh9CSdUlWAIEENm9zuouPcLYS3Z2gfGVvarLy2Hrcs
-
-# algorithm recommendations (for OpenSSH 9.3)
-(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
-(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
-(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
-(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
-(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
-(rec) -hmac-sha1 -- mac algorithm to remove
-(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
-(rec) -hmac-sha2-256 -- mac algorithm to remove
-(rec) -hmac-sha2-512 -- mac algorithm to remove
-(rec) -umac-128@openssh.com -- mac algorithm to remove
-(rec) -umac-64-etm@openssh.com -- mac algorithm to remove
-(rec) -umac-64@openssh.com -- mac algorithm to remove
-
-# additional info
-(nfo) For hardening guides on common OSes, please see:
-
-# after hardening
-# general
-(gen) banner: SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
-(gen) software: OpenSSH 9.3 running on FreeBSD (2023-03-16)
-(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+
-(gen) compression: enabled (zlib@openssh.com)
-
-# key exchange algorithms
-(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
-(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
- `- [info] default key exchange since OpenSSH 6.4
-(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
- `- [info] default key exchange since OpenSSH 6.4
-(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
-(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
-(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
- `- [info] available since OpenSSH 4.4
- `- [info] A bug in OpenSSH causes it to fall back to a 2048-bit modulus regardless of server configuration (https://bugzilla.mindrot.org/show_bug.cgi?id=2793)
-
-# host-key algorithms
-(key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2
-(key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2
-(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
-
-# encryption algorithms (ciphers)
-(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
- `- [info] default cipher since OpenSSH 6.9
-(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
-(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
-(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-(enc) aes192-ctr -- [info] available since OpenSSH 3.7
-(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-
-# message authentication code algorithms
-(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
-
-# fingerprints
-(fin) ssh-ed25519: SHA256:fadjjnDRlCNwjheWnNP0MwiaM3g2wXAyT3a+cExyV9g
-(fin) ssh-rsa: SHA256:Ch0vT4Ys23MrLX4YGHju++Zl4/jUUFty3WEjjFWfYbg
-```
-
-
-## If you want to revert the SSH configuration
-
- rm -rf /etc/ssh
- mv /etc/ssh.bak /etc/ssh
# Client
## Run the following in a terminal to harden the OpenSSH client for the local user
mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config
-
-
- Results report
-
-```
-# general
-(gen) client IP: 127.0.0.1
-(gen) banner: SSH-2.0-OpenSSH_9.3
-(gen) software: OpenSSH 9.3
-(gen) compression: enabled (zlib@openssh.com, zlib)
-
-# key exchange algorithms
-(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
-(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
- `- [info] default key exchange since OpenSSH 6.4
-(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
- `- [info] default key exchange since OpenSSH 6.4
-(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
-(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
-(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
-(kex) ext-info-c
-
-# host-key algorithms
-(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
-(key) ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 6.5
-(key) sk-ssh-ed25519@openssh.com -- [info] available since OpenSSH 8.2
-(key) sk-ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 8.2
-(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
-(key) rsa-sha2-256-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
-(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
-(key) rsa-sha2-512-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
-
-# encryption algorithms (ciphers)
-(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
- `- [info] default cipher since OpenSSH 6.9
-(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
-(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
-(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-(enc) aes192-ctr -- [info] available since OpenSSH 3.7
-(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
-
-# message authentication code algorithms
-(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
-(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
-```
-