Skip to content

Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security

License

Notifications You must be signed in to change notification settings

JuliusBairaktaris/Harden-Windows-SSH

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Harden-Windows-SSH

This repository provides a PowerShell script to harden the OpenSSH Server configuration on Windows, making it more secure and resistant to known vulnerabilities like the Terrapin attack (CVE-2023-48795). The hardening measures are based on recommendations from SSH-Audit.

Applied configuration

KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

Install latest OpenSSH version for Windows

It is strongly recommended to upgrade to the beta version of the OpenSSH implementation for Windows using winget, which patches the Terrapin vulnerability (CVE-2023-48795).

winget install -e --id Microsoft.OpenSSH.Beta

To test which OpenSSH version you are currently running, run in a terminal:

ssh -V

How to harden the OpenSSH implementation

Execute:

irm 'https://raw.githubusercontent.com/JuliusBairaktaris/Harden-Windows-SSH/main/ConfigureOpenSSH.ps1' | iex

In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:

  1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
  2. A user's configuration file at %userprofile%.ssh\config.
  3. The system-wide configuration file at %programdata%\ssh\ssh_config.

Optional overrides

  • hmac-sha2-256: This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.

Security Scores using SSH-Audit

Default OpenSSH v8.X Configuration: Default Windows OpenSSH v8 Client Score

Hardened OpenSSH v8.X Client Configuration: Hardend Windows OpenSSH v8 Client Score

Default OpenSSH v8.X Server Configuration: Default Windows OpenSSH v8 Server Score

Hardened OpenSSH v8.X Server Configuration: Hardend Windows OpenSSH v8 Server Score

Further hardening recommendations

To further secure Windows, check out the great Harden-Windows-Security module by HotCakeX.

Releases

No releases published

Packages

No packages published