Kategorie:SSH/Kryptografie: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
|||
Zeile 78: | Zeile 78: | ||
* It does not impact performance sufficiently | * It does not impact performance sufficiently | ||
== Konfiguration == | === Konfiguration === | ||
=== OpenSSH === | ==== OpenSSH ==== | ||
=== Settings === | ==== Settings ==== | ||
; OpenSSH 6.6 | ; OpenSSH 6.6 | ||
# Package generated configuration file | # Package generated configuration file | ||
Zeile 110: | Zeile 110: | ||
RSAAuthentication yes | RSAAuthentication yes | ||
PubkeyAuthentication yes | PubkeyAuthentication yes | ||
#AuthorizedKeysFile | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
# Don't read the user's ~/.rhosts and ~/.shosts files | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
IgnoreRhosts yes | IgnoreRhosts yes | ||
Zeile 166: | Zeile 166: | ||
: OpenSSH 6.5 (Debian Jessie) | : OpenSSH 6.5 (Debian Jessie) | ||
==== Settings ==== | ===== Settings ===== | ||
; Important OpenSSH 6.5 security settings | ; Important OpenSSH 6.5 security settings | ||
# Package generated configuration file | # Package generated configuration file | ||
Zeile 195: | Zeile 195: | ||
RSAAuthentication yes | RSAAuthentication yes | ||
PubkeyAuthentication yes | PubkeyAuthentication yes | ||
#AuthorizedKeysFile | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
# Don't read the user's ~/.rhosts and ~/.shosts files | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
IgnoreRhosts yes | IgnoreRhosts yes | ||
Zeile 245: | Zeile 245: | ||
UsePAM yes | UsePAM yes | ||
==== Tested with Version ==== | ===== Tested with Version ===== | ||
* OpenSSH 6.0p1 (Debian wheezy) | * OpenSSH 6.0p1 (Debian wheezy) | ||
==== Settings ==== | ===== Settings ===== | ||
; Important OpenSSH 6.0 security settings | ; Important OpenSSH 6.0 security settings | ||
# Package generated configuration file | # Package generated configuration file | ||
Zeile 276: | Zeile 276: | ||
RSAAuthentication yes | RSAAuthentication yes | ||
PubkeyAuthentication yes | PubkeyAuthentication yes | ||
#AuthorizedKeysFile | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
# Don't read the user's ~/.rhosts and ~/.shosts files | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
IgnoreRhosts yes | IgnoreRhosts yes | ||
Zeile 326: | Zeile 326: | ||
UsePAM yes | UsePAM yes | ||
==== Kompatibilität ==== | ===== Kompatibilität ===== | ||
* Older '''Linux''' systems won’t support SHA2 | * Older '''Linux''' systems won’t support SHA2 | ||
* PuTTY (Windows) does not support RIPE-MD160 | * PuTTY (Windows) does not support RIPE-MD160 | ||
Zeile 333: | Zeile 333: | ||
* Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs | * Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs | ||
==== References ==== | ===== References ===== | ||
* [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH] is a basic SSH reference for all routers and switches | * [https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html Cisco SSH] is a basic SSH reference for all routers and switches | ||
* Refer to the specific documentation of the device and IOS version that you are configuring | * Refer to the specific documentation of the device and IOS version that you are configuring | ||
==== How to test ==== | ===== How to test ===== | ||
Connect a client with verbose logging enabled to the SSH server | Connect a client with verbose logging enabled to the SSH server | ||
$ ssh -vvv myserver.com | $ ssh -vvv myserver.com | ||
and observe the key exchange in the output. | and observe the key exchange in the output. | ||
=== Cisco ASA === | ==== Cisco ASA ==== | ||
==== Tested with Versions ==== | ===== Tested with Versions ===== | ||
* 9.1(3) | * 9.1(3) | ||
==== Settings ==== | ===== Settings ===== | ||
* crypto key generate rsa modulus 2048 | * crypto key generate rsa modulus 2048 | ||
* ssh version 2 | * ssh version 2 | ||
Zeile 359: | Zeile 359: | ||
* A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins. | * A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins. | ||
==== References ==== | ===== References ===== | ||
# [https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1] | # [https://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1] | ||
==== How to test ==== | ===== How to test ===== | ||
Connect a client with verbose logging enabled to the SSH server | Connect a client with verbose logging enabled to the SSH server | ||
$ ssh -vvv myserver.com | $ ssh -vvv myserver.com | ||
and observe the key exchange in the output. | and observe the key exchange in the output. | ||
=== Cisco IOS === | ==== Cisco IOS ==== | ||
==== Tested Versions ==== | ===== Tested Versions ===== | ||
{| class="wikitable sortable options" style="border-spacing:0;width:9.259cm;" | {| class="wikitable sortable options" style="border-spacing:0;width:9.259cm;" | ||
Zeile 390: | Zeile 390: | ||
|} | |} | ||
==== Settings ==== | ===== Settings ===== | ||
crypto key generate rsa modulus 4096 label SSH-KEYS | crypto key generate rsa modulus 4096 label SSH-KEYS | ||
ip ssh rsa keypair-name SSH-KEYS | ip ssh rsa keypair-name SSH-KEYS | ||
Zeile 403: | Zeile 403: | ||
* Also, do not forget to disable telnet vty access. | * Also, do not forget to disable telnet vty access. | ||
==== How to test ==== | ===== How to test ===== | ||
Connect a client with verbose logging enabled to the SSH server | Connect a client with verbose logging enabled to the SSH server | ||
$ ssh -vvv switch.example.net | $ ssh -vvv switch.example.net | ||
Zeile 410: | Zeile 410: | ||
<noinclude> | <noinclude> | ||
== Anhang == | === Anhang === | ||
=== Siehe auch === | ==== Siehe auch ==== | ||
{{Special:PrefixIndex/{{BASEPAGENAME}}}} | {{Special:PrefixIndex/{{BASEPAGENAME}}}} | ||
==== Sicherheit ==== | ===== Sicherheit ===== | ||
==== Dokumentation ==== | ===== Dokumentation ===== | ||
==== Links ==== | ===== Links ===== | ||
===== Projekt ===== | ====== Projekt ====== | ||
===== Weblinks ===== | ====== Weblinks ====== | ||
# [https://wiki.mozilla.org/Security/Key_Management Key Management] | # [https://wiki.mozilla.org/Security/Key_Management Key Management] | ||
# [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS] | # [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS] |
Version vom 31. Mai 2023, 11:07 Uhr
Umgang mit Schlüsselmaterial
- Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.
- Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden
- Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
- Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
- Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).
- Dazu gehören
- OpenSSH server keys (/etc/ssh/ssh_host_*key)
- Client keys (~/.ssh/id_{rsa,dsa,ecdsa,ed25519} and ~/.ssh/identity).
Ciphers and algorithms choice
- Recent OpenSSH servers and client support CHACHA20
- When CHACHA20 (OpenSSH 6.5+) is not available
- AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) disclose the packet length - giving some information to the attacker.
- NIST curves (ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256) are listed for compatibility, but the use of curve25519 is generally preferred
- SSH protocol 2
- DH
- ECDH key-exchange
- forward secrecy
- Group sizes
The various algorithms supported by a particular OpenSSH version can be listed with the following commands
$ ssh -Q cipher $ ssh -Q cipher-auth $ ssh -Q mac $ ssh -Q kex $ ssh -Q key
Client key size and login latency
- Figure out the impact on performance of using larger keys
- Such as RSA 4096 bytes keys - on the client side
- Tests
Idle, i7 4500 intel CPU
- OpenSSH_6.7p1
- OpenSSL 1.0.1l
- ed25519 server keys
The following command is ran 10 times
time ssh localhost -i .ssh/id_thekey exit
- Results
Client key | Minimum | Maximum | Average |
RSA 4096 | 120ms | 145ms | 127ms |
RSA 2048 | 120ms | 129ms | 127ms |
ed25519 | 117ms | 138ms | 120ms |
- Slower Machines
These numbers may differ on a slower machine
- This contains the complete login sequence
- Therefore is subject to variations
- Summery
- The latency differences are not significant
- It does not impact performance sufficiently
Konfiguration
OpenSSH
Settings
- OpenSSH 6.6
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no # or 'without-password' to allow SSH key based login StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Cipher selection Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
- Curve25519
- OpenSSH 6.6p1 supports Curve25519
- Tested Version
- OpenSSH 6.5 (Debian Jessie)
Settings
- Important OpenSSH 6.5 security settings
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no # or 'without-password' to allow SSH key based login StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Cipher selection Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
Tested with Version
- OpenSSH 6.0p1 (Debian wheezy)
Settings
- Important OpenSSH 6.0 security settings
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no # or 'without-password' to allow SSH key based login StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Cipher selection Ciphers aes256-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
Kompatibilität
- Older Linux systems won’t support SHA2
- PuTTY (Windows) does not support RIPE-MD160
- Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1)
- DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [5] which is far below current standards (see section #section:keylengths)
- Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs
References
- Cisco SSH is a basic SSH reference for all routers and switches
- Refer to the specific documentation of the device and IOS version that you are configuring
How to test
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv myserver.com
and observe the key exchange in the output.
Cisco ASA
Tested with Versions
- 9.1(3)
Settings
- crypto key generate rsa modulus 2048
- ssh version 2
- ssh key-exchange group dh-group14-sha1
- When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed.
- In addition to that, only a group1 DH-key-exchange is used.
- This should be changed to allow only SSH version 2 and to use a key-exchange with group14.
- The generated RSA key should be 2048 bit (the actual supported maximum).
- A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.
References
How to test
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv myserver.com
and observe the key exchange in the output.
Cisco IOS
Tested Versions
Program Version | OS/Distribution/Version | Comment |
15.0 | IOS | |
15.1 | IOS | |
15.2 | IOS |
Settings
crypto key generate rsa modulus 4096 label SSH-KEYS ip ssh rsa keypair-name SSH-KEYS ip ssh version 2 ip ssh dh min size 2048 line vty 0 15 transport input ssh
- Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit.
- In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs.
- From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key".
- Also, do not forget to disable telnet vty access.
How to test
Connect a client with verbose logging enabled to the SSH server
$ ssh -vvv switch.example.net
and observe the key exchange in the output.
Anhang
Siehe auch
Sicherheit
Dokumentation
Links
Projekt
Weblinks
Seiten in der Kategorie „SSH/Kryptografie“
Diese Kategorie enthält nur die folgende Seite.