Install ssh-audit: pacman -S ssh-audit Server Audit the current server configuration: ssh-audit localhost If any fail or warn level log line appear, try implementing the following sections. Explicitly allow only selected algorithms Restrict key exchange algorithms, ciphers, message authentication codes, and asymmetric keys: # File: /etc/ssh/sshd_config.d/01-ssh-audit_hardening.conf # Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com # hardening guide. KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com Force usage of public key authentication and prevent root login # File: /etc/ssh/sshd_config.
Goodbye keyboards and monitors!
So easy!
We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:
* or has processes surviving logout (for instance lingering services).
This may increase privacy, depending on how the system is used.
If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.
Put that second drive to use!
To make it even harder for predatory institutions to find your keys.
Use autossh and a systemd service…
So easy!
LUKS partitions cannot be recovered once the header is lost.
No need to enable full login shell if the only intended usage is proxying.