Paso 3: Harden ssh_config
Primero tenemos que abrir el archivo ssh_config.
sudo nano /etc/ssh/ssh_config
Ahora vamos a reemplazar todo en el archivo con la versión endurecida (la versión endurecida deshabilita la autenticación de hash y algoritmos de criptografía débiles).
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-specific key exchange algorithms. This is here so that if you're # having trouble logging into a server, you can modify and uncomment the # lines below and be on the way to getting work done. # Host github.com *.github.com # KexAlgorithms curve25519-sha256 # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * # ForwardAgent no # ForwardX11 no # ForwardX11Trusted yes # RhostsRSAAuthentication no # RSAAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h UseRoaming no SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no KexAlgorithms curve25519-sha256 PasswordAuthentication no ChallengeResponseAuthentication no PubkeyAuthentication yes HostKeyAlgorithms ssh-ed25519-cert-v01 Ciphers chacha20-poly1305 MACs hmac-sha2-512-etm