Make sure to use builtin sed in case GNU sed has been installed, -i option works differently. Also perform both changes in one line so the first .orig isn't replaced by the second.

pr3c0g 2024-08-12 14:19:20 +01:00
parent b0b6a70163
commit 88d7b0ece7

@ -3,23 +3,22 @@ The community has indicated that the following instructions work for macOS 13 (V
Note: all commands below are to be executed as the root user.
1. Re-generate the RSA and ED25519 keys
```
```bash
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
```
2. Remove small Diffie-Hellman moduli
```
```bash
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
```
3. Enable the RSA and ED25519 HostKey directives in the /etc/ssh/sshd_config file
```
sed -i .orig 's/^\#HostKey \/etc\/ssh\/ssh_host_rsa_key/HostKey \/etc\/ssh\/ssh_host_rsa_key/' /etc/ssh/sshd_config
sed -i .orig 's/^\#HostKey \/etc\/ssh\/ssh_host_ed25519_key/HostKey \/etc\/ssh\/ssh_host_ed25519_key/' /etc/ssh/sshd_config
```bash
/usr/bin/sed -i .orig -E 's/^\#(HostKey \/etc\/ssh\/ssh_host_(rsa_key|ed25519_key))/\1/' sshd_config
```
4. Restrict supported key exchange, cipher, and MAC algorithms
```
```bash
echo '
# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
@ -29,7 +28,7 @@ MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@op
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256' > /etc/ssh/sshd_config.d/99_hardening.conf
```
5. Restart OpenSSH server
```
```bash
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
```