An open API service indexing awesome lists of open source software.

https://github.com/k4yt3x/ssh_config

K4YT3X's Hardened OpenSSH Client Configuration
https://github.com/k4yt3x/ssh_config

hardening linux openssh security ssh

Last synced: 8 months ago
JSON representation

K4YT3X's Hardened OpenSSH Client Configuration

Awesome Lists containing this project

README

          

# K4YT3X's Hardened OpenSSH Client Configuration

This repository hosts my hardened version of OpenSSH client (>=8.5) configuration file. You will need to modify the configuration according to the error messages if you want to use this configuration for older versions of OpenSSH.

**Please review the configuration file carefully before applying it.** You are responsible for actions done to your own systems. For example, you might want to enable `GSSAPIAuthentication` if you use Kerberos authentication.

In addition to this configuration, you may also want to check out the [SSH Hardening Guides](https://www.ssh-audit.com/hardening_guides.html).

## Usages

For convenience, I have pointed the URL `https://kt.ax/ssh` to the `ssh_config` file. You may therefore download the `ssh_config` file with the following command. However, be sure to check the file's integrity after downloading it if you choose to download using this method.

```shell
curl -L kt.ax/ssh -o ssh_config
```

### Method 1: Use as System Default

You can install this config to `/etc/ssh/ssh_config` to make variables in this configuration the system-wide default values. You may use this method if you would like all users to use these secure settings by default (e.g., as a system administrator).

```shell
# download the configuration file from GitHub using curl or other methods
curl https://raw.githubusercontent.com/k4yt3x/ssh_config/master/ssh_config -o ~/ssh_config

# backup the original ssh_config
sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config.backup

# edit the original ssh_config file and append the contents of the config file
sudo vim /etc/ssh/ssh_config

# alternatively, if you are certain that the old config file is useless
# you may replace the old ssh_config with the new one
sudo mv ~/ssh_config /etc/ssh/ssh_config

# make sure the file has the correct ownership and permissions
sudo chown root:root /etc/ssh/ssh_config
sudo chmod 644 /etc/ssh/ssh_config
```

### Method 2: Use as User Default

You may also install this configuration file for the current user, which overwrites the system default values. You may use this method if you do not have the permissions to change the default configuration file or if you prefer to leave the default values be.

```shell
# download the configuration file from GitHub using curl or other methods
curl https://raw.githubusercontent.com/k4yt3x/ssh_config/master/ssh_config -o ~/ssh_config

# backup the original ssh_config
cp ~/.ssh/config ~/.ssh/config.backup

# edit the original ssh_config file and append the contents of the config file
vim ~/.ssh/config

# alternatively, if you are certain that the old config file is useless
# you may replace the old ssh_config with the new one
mv ~/ssh_config ~/.ssh/config
```

## Deactivating Short Diffie-Hellman Moduli

Diffie-Hellman moduli used for `diffie-hellman-group-exchange-sha256` should be at lest 3072 bits long according to [Mozilla's OpenSSH server hardening guide](https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67). This can be done with the following commands.

```shell
# backup original moduli file
cp /etc/ssh/moduli /etc/ssh/moduli.backup

# find lines with moduli >= 3071 bits and save them to moduli.tmp
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp

# overwrite original moduli file with the updated one
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
```

### Verifying the Changes

You may want to use the [ssh-audit](https://github.com/jtesta/ssh-audit) script to check your SSH client's cryptographic strength after done configuring it. If you're paranoid like me, you can also run ssh-audit in a Docker container.

```shell
# clone the repository
git clone https://github.com/jtesta/ssh-audit ~/ssh-audit

# launch ssh-audit and listen to local port 2222
python3 ~/ssh-audit/ssh-audit.py -c

# connect to ssh-audit and check the audit results
ssh -p 2222 127.0.0.1
```