Kategorie:SSH/Kryptografie

Umgang mit Schlüsselmaterial

Schlüsselmaterial identifiziert die kryptografischen Geheimnisse, aus denen ein Schlüssel besteht.

Sämtliches Schlüsselmaterial muss als RESTRICTED-Daten behandelt werden

• Nur Personen mit spezieller Ausbildung und dem Bedarf an Wissen sollten Zugang zu Schlüsselmaterial haben.
• Das Schlüsselmaterial muss bei der Übertragung verschlüsselt werden.
• Schlüsselmaterial kann im Klartext gespeichert werden, aber nur mit einer angemessenen Zugangskontrolle (begrenzter Zugang).

Dazu gehören

• OpenSSH server keys (/etc/ssh/ssh_host_*key)
• Client keys (~/.ssh/id_{rsa,dsa,ecdsa,ed25519} and ~/.ssh/identity).

Ciphers and algorithms choice

Recent OpenSSH servers and client support CHACHA20

• When CHACHA20 (OpenSSH 6.5+) is not available
• AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) disclose the packet length - giving some information to the attacker.
• NIST curves (ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256) are listed for compatibility, but the use of curve25519 is generally preferred

SSH protocol 2

• DH
• ECDH key-exchange
• forward secrecy

Group sizes

• Security/Guidelines/Key_Management

The various algorithms supported by a particular OpenSSH version can be listed with the following commands

$ ssh -Q cipher
$ ssh -Q cipher-auth
$ ssh -Q mac
$ ssh -Q kex
$ ssh -Q key

Client key size and login latency

Figure out the impact on performance of using larger keys

• Such as RSA 4096 bytes keys - on the client side

Tests

Idle, i7 4500 intel CPU

• OpenSSH_6.7p1
• OpenSSL 1.0.1l
• ed25519 server keys

The following command is ran 10 times

time ssh localhost -i .ssh/id_thekey exit

Results

Client key	Minimum	Maximum	Average
RSA 4096	120ms	145ms	127ms
RSA 2048	120ms	129ms	127ms
ed25519	117ms	138ms	120ms

Slower Machines

These numbers may differ on a slower machine

• This contains the complete login sequence
• Therefore is subject to variations

Summery

• The latency differences are not significant
• It does not impact performance sufficiently

Konfiguration

OpenSSH

Settings

OpenSSH 6.6

# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Cipher selection
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Curve25519

OpenSSH 6.6p1 supports Curve25519

Tested Version

OpenSSH 6.5 (Debian Jessie)

Settings

Important OpenSSH 6.5 security settings

# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Cipher selection
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Tested with Version

• OpenSSH 6.0p1 (Debian wheezy)

Settings

Important OpenSSH 6.0 security settings

# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no # or 'without-password' to allow SSH key based login
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Cipher selection
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Kompatibilität

• Older Linux systems won’t support SHA2
• PuTTY (Windows) does not support RIPE-MD160
• Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.6p1)
• DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit [5] which is far below current standards (see section #section:keylengths)
• Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs

References

• Cisco SSH is a basic SSH reference for all routers and switches
• Refer to the specific documentation of the device and IOS version that you are configuring

How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv myserver.com

and observe the key exchange in the output.

Cisco ASA

Tested with Versions

• 9.1(3)

Settings

• crypto key generate rsa modulus 2048
• ssh version 2
• ssh key-exchange group dh-group14-sha1

• When the ASA is configured for SSH, by default both SSH versions 1 and 2 are allowed.
• In addition to that, only a group1 DH-key-exchange is used.
• This should be changed to allow only SSH version 2 and to use a key-exchange with group14.
• The generated RSA key should be 2048 bit (the actual supported maximum).
• A non-cryptographic best practice is to reconfigure the lines to only allow SSH-logins.

References

1. CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1

How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv myserver.com

and observe the key exchange in the output.

Cisco IOS

Tested Versions

Program Version	OS/Distribution/Version	Comment
15.0	IOS
15.1	IOS
15.2	IOS

Settings

crypto key generate rsa modulus 4096 label SSH-KEYS
ip ssh rsa keypair-name SSH-KEYS
ip ssh version 2
ip ssh dh min size 2048
line vty 0 15
transport input ssh

• Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit.
• In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs.
• From IOS Version 15.0 onwards, 4096 Bit rsa keys are supported and should be used according to the paradigm "use longest supported key".
• Also, do not forget to disable telnet vty access.

How to test

Connect a client with verbose logging enabled to the SSH server

$ ssh -vvv switch.example.net

and observe the key exchange in the output.

Anhang

Siehe auch

Dokumentation

Links

Projekt

Weblinks

1. Key Management
2. Server Side TLS
3. RFC4418 (umac)
4. umac draft
5. Safe curves
6. DJM blog
7. Stribika blog
8. AES-GCM performance study
9. CHACHA20 vs AES-GCM performance study
10. PROTOCOL.certkeys
11. rfc44880bis from GnuPG
12. Weak Diffie-Hellman and the Logjam Attack
13. On OpenSSH and Logjam, by Jethro Beekman