Needed to work around CVE-2016-0777. The global config lives in /etc/ssh/ssh_config.
Going to use this as an opportunity to tighten down some other settings as well, like HashKnownHosts.
I'm going off https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28OpenSSH_5.3.29 for recommended defaults.
Created attachment 8708685 [details] [diff] [review] add some default openssh settings Not that we have many good options with version 5.4. Any recommendations beyond these, Guillaume?
Comment on attachment 8708685 [details] [diff] [review] add some default openssh settings Review of attachment 8708685 [details] [diff] [review]: ----------------------------------------------------------------- TLDR: r+ Longer version: The recommendations from the wiki page are accurate for OpenSSH 5.3 as a server, albeit your link points to the SSH daemon configuration (/etc/ssh/sshd_config i.e. sshd/server). While it doesn't spell out the usage of OpenSSH 5.4 as a client (it has settings for recent clients only), OpenSSH 5.4 has the addition of roaming in particular (which is affected by CVE-2016-0777), which you have cared for in your config (r+!). This is only necessary when SSH is used as a client though. We have audited the current setups to the best of our knowledge (ie when we get full reporting from the host/it's running audisp-json + mig). For reference, SSH client (/etc/ssh/ssh_config, i.e. ssh/client) recommended settings are at https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28connects_to_older_servers.29 (Again since you have OpenSSH 5.4 this does not support all options and your config looks good to me). Finally, the best would be to upgrade to a newer OpenSSH/distribution of course. If using IT-provided machines, AFAIK CentOS 7 will be available at the end of this quarter as per https://bugzilla.mozilla.org/show_bug.cgi?id=1019782
Thanks for double-checking. Unfortunately, we're pretty much stuck on version 5.4 until we're able to drop MSYS1 in favor of msys2, which is probably a ways out still. Unless you know of any alternate Windows options? I know Microsoft has been working on one as well, but it's still considered pre-release. https://hg.mozilla.org/mozilla-build/rev/8f49cd85c7ac
plink.exe (from PuTTY) can kinda/sorta be used as an ssh client stand-in for many use cases.