|
|
(25 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
Zeile 1: |
Zeile 1: |
| === Umgang mit Schlüsselmaterial ===
| |
| ; Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.
| |
| ; Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden
| |
| * Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
| |
| * Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
| |
| * Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).
| |
|
| |
| ; Dazu gehören
| |
| * OpenSSH server keys (<tt>/etc/ssh/ssh_host_*key</tt>)
| |
| * Client keys (<tt>~/.ssh/id_{rsa,dsa,ecdsa,ed25519}</tt> and <tt>~/.ssh/identity</tt>).
| |
|
| |
| === Ciphers and algorithms choice ===
| |
| ; Recent OpenSSH servers and client support CHACHA20
| |
| * When CHACHA20 (OpenSSH 6.5+) is not available
| |
| * AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker.
| |
| * NIST curves (<tt>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</tt>) are listed for compatibility, but the use of <tt>curve25519</tt> is [https://safecurves.cr.yp.to/ generally preferred]
| |
|
| |
| ; SSH protocol 2
| |
| * [https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange DH]
| |
| * [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie–Hellman ECDH] key-exchange
| |
| * [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy]
| |
|
| |
| ; Group sizes
| |
| * [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management]
| |
|
| |
| The various algorithms supported by a particular OpenSSH version can be listed with the following commands
| |
| $ ssh -Q cipher
| |
| $ ssh -Q cipher-auth
| |
| $ ssh -Q mac
| |
| $ ssh -Q kex
| |
| $ ssh -Q key
| |
|
| |
| === Client key size and login latency ===
| |
| ; Figure out the impact on performance of using larger keys
| |
| * Such as RSA 4096 bytes keys - on the client side
| |
|
| |
| ; Tests
| |
| Idle, i7 4500 intel CPU
| |
| * OpenSSH_6.7p1
| |
| * OpenSSL 1.0.1l
| |
| * ed25519 server keys
| |
|
| |
| The following command is ran 10 times
| |
| time ssh localhost -i .ssh/id_thekey exit
| |
|
| |
| ; Results
| |
| {|| class="wikitable sortable"
| |
| |-
| |
| || '''Client key '''
| |
| || '''Minimum '''
| |
| || '''Maximum '''
| |
| || '''Average '''
| |
| |-
| |
| || RSA 4096
| |
| || 120ms
| |
| || 145ms
| |
| || 127ms
| |
| |-
| |
| || RSA 2048
| |
| || 120ms
| |
| || 129ms
| |
| || 127ms
| |
| |-
| |
| || ed25519
| |
| || 117ms
| |
| || 138ms
| |
| || 120ms
| |
| |-
| |
| |}
| |
|
| |
| ; Slower Machines
| |
| These numbers may differ on a slower machine
| |
| * This contains the complete login sequence
| |
| * Therefore is subject to variations
| |
|
| |
| ; Summery
| |
| * The latency differences are not significant
| |
| * It does not impact performance sufficiently
| |
|
| |
| === Konfiguration ===
| |
| ==== OpenSSH ====
| |
|
| |
| ==== Settings ====
| |
| ; OpenSSH 6.6
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
|
| |
| ; Curve25519
| |
| : OpenSSH 6.6p1 supports Curve25519
| |
|
| |
| ; Tested Version
| |
| : OpenSSH 6.5 (Debian Jessie)
| |
|
| |
| ===== Settings =====
| |
| ; Important OpenSSH 6.5 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 1024
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
|
| |
| ===== Tested with Version =====
| |
| * OpenSSH 6.0p1 (Debian wheezy)
| |
|
| |
| ===== Settings =====
| |
| ; Important OpenSSH 6.0 security settings
| |
| # Package generated configuration file
| |
| # See the sshd_config(5) manpage for details
| |
| # What ports, IPs and protocols we listen for
| |
| Port 22
| |
| # Use these options to restrict which interfaces/protocols sshd will bind to
| |
| #ListenAddress ::
| |
| #ListenAddress 0.0.0.0
| |
| Protocol 2
| |
| # HostKeys for protocol version 2
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| #HostKey /etc/ssh/ssh_host_dsa_key
| |
| #HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| #Privilege Separation is turned on for security
| |
| UsePrivilegeSeparation yes
| |
| # Lifetime and size of ephemeral version 1 server key
| |
| KeyRegenerationInterval 3600
| |
| ServerKeyBits 768
| |
| # Logging
| |
| SyslogFacility AUTH
| |
| LogLevel INFO
| |
| # Authentication:
| |
| LoginGraceTime 120
| |
| PermitRootLogin no # or 'without-password' to allow SSH key based login
| |
| StrictModes yes
| |
| RSAAuthentication yes
| |
| PubkeyAuthentication yes
| |
| #AuthorizedKeysFile %h/.ssh/authorized_keys
| |
| # Don't read the user's ~/.rhosts and ~/.shosts files
| |
| IgnoreRhosts yes
| |
| # For this to work you will also need host keys in /etc/ssh_known_hosts
| |
| RhostsRSAAuthentication no
| |
| # similar for protocol version 2
| |
| HostbasedAuthentication no
| |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
| |
| #IgnoreUserKnownHosts yes
| |
| # To enable empty passwords, change to yes (NOT RECOMMENDED)
| |
| PermitEmptyPasswords no
| |
| # Change to yes to enable challenge-response passwords (beware issues with
| |
| # some PAM modules and threads)
| |
| ChallengeResponseAuthentication no
| |
| # Change to no to disable tunnelled clear text passwords
| |
| #PasswordAuthentication yes
| |
| # Kerberos options
| |
| #KerberosAuthentication no
| |
| #KerberosGetAFSToken no
| |
| #KerberosOrLocalPasswd yes
| |
| #KerberosTicketCleanup yes
| |
| # GSSAPI options
| |
| #GSSAPIAuthentication no
| |
| #GSSAPICleanupCredentials yes
| |
| # Cipher selection
| |
| Ciphers aes256-ctr,aes128-ctr
| |
| MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
| KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
| |
| X11Forwarding yes
| |
| X11DisplayOffset 10
| |
| PrintMotd no
| |
| PrintLastLog yes
| |
| TCPKeepAlive yes
| |
| #UseLogin no
| |
| #MaxStartups 10:30:60
| |
| #Banner /etc/issue.net
| |
| # Allow client to pass locale environment variables
| |
| AcceptEnv LANG LC_*
| |
| Subsystem sftp /usr/lib/openssh/sftp-server
| |
| # Set this to 'yes' to enable PAM authentication, account processing,
| |
| # and session processing. If this is enabled, PAM authentication will
| |
| # be allowed through the ChallengeResponseAuthentication and
| |
| # PasswordAuthentication. Depending on your PAM configuration,
| |
| # PAM authentication via ChallengeResponseAuthentication may bypass
| |
| # the setting of "PermitRootLogin without-password".
| |
| # If you just want the PAM account and session checks to run without
| |
| # PAM authentication, then enable this but set PasswordAuthentication
| |
| # and ChallengeResponseAuthentication to 'no'.
| |
| UsePAM yes
| |
|
| |
| ===== Kompatibilität =====
| |
| * Older '''Linux''' systems won’t support SHA2
| |
| * PuTTY (Windows) does not support RIPE-MD160
| |
| * Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1)
| |
| * DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [[https://bettercrypto.org/#_footnotedef_5 5]] which is far below current standards (see section #section:keylengths)
| |
| * Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs
| |
|
| |
| ===== References =====
| |
| * [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH] is a basic SSH reference for all routers and switches
| |
| * Refer to the specific documentation of the device and IOS version that you are configuring
| |
|
| |
| ===== How to test =====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
|
| |
| ==== Cisco ASA ====
| |
|
| |
| ===== Tested with Versions =====
| |
| * 9.1(3)
| |
|
| |
| ===== Settings =====
| |
| * crypto key generate rsa modulus 2048
| |
| * ssh version 2
| |
| * ssh key-exchange group dh-group14-sha1
| |
|
| |
|
| |
| * When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed.
| |
| * In addition to that, only a group1 DH-key-exchange is used.
| |
| * This should be changed to allow only SSH version 2 and to use a key-exchange with group14.
| |
| * The generated RSA key should be 2048 bit (the actual supported maximum).
| |
| * A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.
| |
|
| |
| ===== References =====
| |
| # [https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1]
| |
|
| |
| ===== How to test =====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv myserver.com
| |
| and observe the key exchange in the output.
| |
|
| |
| ==== Cisco IOS ====
| |
| ===== Tested Versions =====
| |
|
| |
| {| class="wikitable sortable options" style="border-spacing:0;width:9.259cm;"
| |
| |-
| |
| || Program Version
| |
| || OS/Distribution/Version
| |
| || Comment
| |
| |-
| |
| || 15.0
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.1
| |
| || IOS
| |
| ||
| |
| |-
| |
| || 15.2
| |
| || IOS
| |
| ||
| |
| |-
| |
| |}
| |
|
| |
| ===== Settings =====
| |
| crypto key generate rsa modulus 4096 label SSH-KEYS
| |
| ip ssh rsa keypair-name SSH-KEYS
| |
| ip ssh version 2
| |
| ip ssh dh min size 2048
| |
| line vty 0 15
| |
| transport input ssh
| |
|
| |
| * Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit.
| |
| * In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs.
| |
| * From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key".
| |
| * Also, do not forget to disable telnet vty access.
| |
|
| |
| ===== How to test =====
| |
| Connect a client with verbose logging enabled to the SSH server
| |
| $ ssh -vvv switch.example.net
| |
| and observe the key exchange in the output.
| |
|
| |
|
| |
| <noinclude>
| |
| === Anhang ===
| |
| ==== Siehe auch ====
| |
| {{Special:PrefixIndex/{{BASEPAGENAME}}}}
| |
| ===== Sicherheit =====
| |
| ===== Dokumentation =====
| |
| ===== Links =====
| |
| ====== Projekt ======
| |
| ====== Weblinks ======
| |
| # [https://wiki.mozilla.org/Security/Key_Management Key Management]
| |
| # [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]
| |
| # [https://www.ietf.org/rfc/rfc4418.txt RFC4418 (umac)]
| |
| # [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft]
| |
| # [https://safecurves.cr.yp.to/ Safe curves]
| |
| # [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog]
| |
| # [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog]
| |
| # [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study]
| |
| # [https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html CHACHA20 vs AES-GCM performance study]
| |
| # [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys]
| |
| # [https://wiki.gnupg.org/rfc4880bis rfc44880bis from GnuPG]
| |
| # [https://weakdh.org/ Weak Diffie-Hellman and the Logjam Attack]
| |
| # [https://jbeekman.nl/blog/2015/05/ssh-logjam/ On OpenSSH and Logjam, by Jethro Beekman]
| |
|
| |
| [[Kategorie:Kryptografie/Best Practice]] | | [[Kategorie:Kryptografie/Best Practice]] |
| [[Kategorie:Secure Shell]] | | [[Kategorie:SSH]] |
| </noinclude>
| |