|
|
(68 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
Zeile 1: |
Zeile 1: |
| '''topic''' kurze Beschreibung
| | [[Kategorie:Kryptografie/Best Practice]] |
| == Beschreibung ==
| |
| == Installation ==
| |
| == Anwendungen ==
| |
| === Fehlerbehebung ===
| |
| == Syntax ==
| |
| === Optionen ===
| |
| === Parameter ===
| |
| === Umgebungsvariablen ===
| |
| === Exit-Status ===
| |
| == Konfiguration ==
| |
| === Dateien ===
| |
| == Sicherheit ==
| |
| == Dokumentation ==
| |
| === RFC ===
| |
| === Man-Pages ===
| |
| === Info-Pages ===
| |
| == Siehe auch ==
| |
| == Links ==
| |
| === Projekt-Homepage ===
| |
| === Weblinks ===
| |
| === Einzelnachweise ===
| |
| <references />
| |
| == Testfragen ==
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 1''
| |
| <div class="mw-collapsible-content">'''Antwort1'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 2''
| |
| <div class="mw-collapsible-content">'''Antwort2'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 3''
| |
| <div class="mw-collapsible-content">'''Antwort3'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 4''
| |
| <div class="mw-collapsible-content">'''Antwort4'''</div>
| |
| </div>
| |
| <div class="toccolours mw-collapsible mw-collapsed">
| |
| ''Testfrage 5''
| |
| <div class="mw-collapsible-content">'''Antwort5'''</div>
| |
| </div>
| |
| | |
| [[Kategorie:Entwurf]] | |
| | |
| = TMP =
| |
| == Beschreibung ==
| |
| === Umgang mit Schlüsselmaterial ===
| |
| ; Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.
| |
| ; Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden
| |
| * Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
| |
| * Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
| |
| * Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).
| |
| | |
| ; Dazu gehören
| |
| * OpenSSH server keys (<tt>/etc/ssh/ssh_host_*key</tt>)
| |
| * Client keys (<tt>~/.ssh/id_{rsa,dsa,ecdsa,ed25519}</tt> and <tt>~/.ssh/identity</tt>).
| |
| | |
| === Client key size and login latency ===
| |
| Figure out the impact on performance of using larger keys
| |
| * Such as RSA 4096 bytes keys - on the client side
| |
| | |
| ; Tests
| |
| Idle, i7 4500 intel CPU
| |
| * OpenSSH_6.7p1
| |
| * OpenSSL 1.0.1l
| |
| * ed25519 server keys
| |
| | |
| The following command is ran 10 times
| |
| time ssh localhost -i .ssh/id_thekey exit
| |
| | |
| ; Results
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || '''Client key '''
| |
| || '''Minimum '''
| |
| || '''Maximum '''
| |
| || '''Average '''
| |
| |-
| |
| || RSA 4096
| |
| || 120ms
| |
| || 145ms
| |
| || 127ms
| |
| |-
| |
| || RSA 2048
| |
| || 120ms
| |
| || 129ms
| |
| || 127ms
| |
| |-
| |
| || ed25519
| |
| || 117ms
| |
| || 138ms
| |
| || 120ms
| |
| |-
| |
| |}
| |
| | |
| ; Slower Machines
| |
| These numbers may differ on a slower machine
| |
| * This contains the complete login sequence
| |
| * Therefore is subject to variations
| |
| | |
| ; Summery
| |
| * The latency differences are not significant
| |
| * It does not impact performance sufficiently
| |
| | |
| == OpenSSH server ==
| |
| ; SSH is used to
| |
| * remotely manage computer systems
| |
| * secururly transfer files over untrusted networks
| |
| * create "ad-hoc" virtual-private networks
| |
| | |
| === OpenSSH ===
| |
| * [https://www.openssh.com/ OpenSSH] is the most popular implementation of the SSH protocol
| |
| * It is maintained by the [https://openbsd.org/ OpenBSD] project
| |
| * portable versions are disitributed with many unix-like operating-systems and Windows Server
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.6p1 (Gentoo)
| |
| * OpenSSH 6.6p1-2 on Ubuntu 14.04.2 LTS
| |
| * OpenSSH 7.2p2 on Ubuntu 16.04.3 LTS
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.6 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ; Curve25519
| |
| : OpenSSH 6.6p1 supports Curve25519
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.5 (Debian Jessie)
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.5 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ==== Tested with Version ====
| |
| * OpenSSH 6.0p1 (Debian wheezy)
| |
| | |
| ==== Settings ====
| |
| ; Important OpenSSH 6.0 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 768
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
| | |
| ==== Kompatibilität ====
| |
| * Older '''Linux''' systems won’t support SHA2
| |
| * PuTTY (Windows) does not support RIPE-MD160.
| |
| * Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1).
| |
| * DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [[https://bettercrypto.org/#_footnotedef_5 5]] which is far below current standards (see section #section:keylengths).
| |
| * Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs.
| |
| | |
| ==== References ====
| |
| The OpenSSH [https://www.openssh.org/cgi-bin/man.cgi?query=sshd_config sshd_config — OpenSSH SSH daemon configuration file] man page is the best reference:
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
| | |
| === Cisco ASA ===
| |
| | |
| ==== Tested with Versions ====
| |
| * 9.1(3)
| |
| | |
| ==== Settings ====
| |
| * crypto key generate rsa modulus 2048
| |
| * ssh version 2
| |
| * ssh key-exchange group dh-group14-sha1
| |
| | |
| | |
| * When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed.
| |
| * In addition to that, only a group1 DH-key-exchange is used.
| |
| * This should be changed to allow only SSH version 2 and to use a key-exchange with group14.
| |
| * The generated RSA key should be 2048 bit (the actual supported maximum).
| |
| * A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.
| |
| | |
| ==== References ====
| |
| # [https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1]
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
| | |
| === Cisco IOS ===
| |
| ==== Tested Versions ====
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:9.259cm;"
| |
| |-
| |
| || Program Version
| |
| || OS/Distribution/Version
| |
| || Comment
| |
| |-
| |
| || 15.0
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.1
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.2
| |
| || IOS
| |
| ||
| |
| |-
| |
| |}
| |
| | |
| ==== Settings ====
| |
| crypto key generate rsa modulus 4096 label SSH-KEYS
| |
| ip ssh rsa keypair-name SSH-KEYS
| |
| ip ssh version 2
| |
| ip ssh dh min size 2048
| |
| line vty 0 15
| |
| transport input ssh
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit. In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs. From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key". Also, do not forget to disable telnet vty access.
| |
| |-
| |
| |}
| |
| | |
| ==== References ====
| |
| [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH]
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || This guide is a basic SSH reference for all routers and switches. Pleaes refer to the specific documentation of the device and IOS version that you are configuring.
| |
| |-
| |
| |}
| |
| | |
| ==== How to test ====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv switch.example.net
| |
| and observe the key exchange in the output.
| |
| | |
| | |
| [[Kategorie:Kryptografie:Best Practice]]
| |
| [[Kategorie:SSH]] | | [[Kategorie:SSH]] |
|
| |
| == Configuration ==
| |
| Different versions of OpenSSH support different options which are not always compatible.
| |
| * This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended.
| |
|
| |
| ==== Modern (OpenSSH 6.7+) ====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
|
| |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
| |
|
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
| |
|
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
| |
|
| |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| AuthenticationMethods publickey
| |
|
| |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
|
| |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
|
| |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
|
| |
| # Use kernel sandbox mechanisms where possible in unprivileged processes
| |
| # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
| |
| UsePrivilegeSeparation sandbox
| |
|
| |
| File: <tt>/etc/ssh/moduli</tt>
| |
|
| |
| All Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for <tt>diffie-hellman-group-exchange-sha256</tt>) as per our [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management] recommendations.
| |
| * See also <tt>man moduli</tt>.
| |
|
| |
| To deactivate short moduli in two commands: <tt>awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
|
| |
| ==== Intermediate (OpenSSH 5.3) ====
| |
| This is mainly for use by RHEL6, CentOS6, etc.
| |
| * which run older versions of OpenSSH.
| |
|
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
|
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256
| |
| MACs hmac-sha2-512,hmac-sha2-256
| |
| Ciphers aes256-ctr,aes192-ctr,aes128-ctr
| |
|
| |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| RequiredAuthentications2 publickey
| |
|
| |
| # RequiredAuthentications2 not work on official OpenSSH 5.3 portable.
| |
| # In this is your case, use this instead:
| |
| #PubkeyAuthentication yes
| |
| #PasswordAuthentication no
| |
|
| |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
|
| |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
|
| |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
|
| |
| File: <tt>/etc/ssh/moduli</tt>
| |
|
| |
| All Diffie-Hellman moduli in use should be at least 2048-bit-long.
| |
| * From the structure of <tt>moduli</tt> files, this means the fifth field of all lines in this file should be greater than or equal to 2047.
| |
|
| |
| To deactivate weak moduli in two commands: <tt>awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
|
| |
| ==== Multi-Factor Authentication (OpenSSH 6.3+) ====
| |
| Recent versions of OpenSSH support MFA (Multi-Factor Authentication).
| |
| * Using MFA is recommended where possible.
| |
|
| |
| It requires additional setup, such as using the [http://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity].
| |
|
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || <span >'''ATTENTION</span> '''
| |
| |-
| |
| || In order to allow using one time passwords (OTPs) and any other text input, Keyboard-interactive is enabled in OpenSSH.
| |
| * This ''MAY'' allow for password authentication to work.
| |
| * It is therefore very important to check your PAM configuration so that PAM disallow password authentication for OpenSSH.
| |
|
| |
| |-
| |
| |}
| |
|
| |
| ===== OpenSSH 6.3+ (default) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| PubkeyAuthentication yes
| |
| PasswordAuthentication no
| |
| AuthenticationMethods publickey,keyboard-interactive:pam
| |
| KbdInteractiveAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
|
| |
| ===== OpenSSH 5.3+ w/ RedHat/CentOS patch (old) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
|
| |
| # Allow keyboard-interactive.
| |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| RequiredAuthentications2 publickey,keyboard-interactive:skey
| |
| PasswordAuthentication no
| |
| ChallengeResponseAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
|
| |
| PAM configuration for use with the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity] as second authentication factor.
| |
|
| |
| File: <tt>/etc/pam.d/sshd</tt>
| |
|
| |
| #%PAM-1.0
| |
| auth required pam_sepermit.so
| |
|
| |
| # WARNING: make sure any password authentication module is disabled.
| |
| # Example: pam_unix.so, or "password-auth", "system-auth", etc.
| |
| #auth include password-auth
| |
|
| |
| # Options to enable when using OATH toolkit
| |
| #auth requisite pam_oath.so usersfile=/etc/users.oath digits=6 window=20
| |
|
| |
| # Options to enable when using DuoSecurity
| |
| #auth sufficient /lib64/security/pam_duo.so
| |
|
| |
| account required pam_nologin.so
| |
|
| |
| === Ciphers and algorithms choice ===
| |
| * When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker.
| |
| * Only recent OpenSSH servers and client support CHACHA20.
| |
|
| |
| * NIST curves (<tt>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</tt>) are listed for compatibility, but the use of <tt>curve25519</tt> is [https://safecurves.cr.yp.to/ generally preferred].
| |
|
| |
| * SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie–Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy].
| |
| * Regarding group sizes, please refer to [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management].
| |
|
| |
| The various algorithms supported by a particular OpenSSH version can be listed with the following commands:
| |
| $ ssh -Q cipher
| |
| $ ssh -Q cipher-auth
| |
| $ ssh -Q mac
| |
| $ ssh -Q kex
| |
| $ ssh -Q key
| |
|
| |
| == Reference documents ==
| |
| * [https://wiki.mozilla.org/Security/Key_Management Key Management]
| |
| * [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]
| |
| * [https://www.ietf.org/rfc/rfc4418.txt RFC4418 (umac)]
| |
| * [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft]
| |
| * [https://safecurves.cr.yp.to/ Safe curves]
| |
| * [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog]
| |
| * [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog]
| |
| * [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study]
| |
| * [https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html CHACHA20 vs AES-GCM performance study]
| |
| * [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys]
| |
| * [https://wiki.gnupg.org/rfc4880bis rfc44880bis from GnuPG]
| |
| * [https://weakdh.org/ Weak Diffie-Hellman and the Logjam Attack]
| |
| * [https://jbeekman.nl/blog/2015/05/ssh-logjam/ On OpenSSH and Logjam, by Jethro Beekman]
| |