New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[enh] Clean + harden sshd config using Mozilla recommendation #590

Merged
merged 3 commits into from Dec 3, 2018

Conversation

Projects
None yet
3 participants
@alexAubin
Copy link
Member

alexAubin commented Nov 28, 2018

The problem

There are various settings which can be improved in the sshd configuration to increase security.

Solution

I used the Mozilla recommendation which I found here : https://infosec.mozilla.org/guidelines/openssh

I also cleaned a few things : many weird commented settings which are unlikely to be used, or settings which corresponds to the default setting and therefore unnecessary to state them.

Of course, the best security gain in here would be to disable password authentication... To quote a guy from Stack Overflow : « The authentication and negotiation ciphers are far more important than the symmetric algorithm for the overall security »

PR Status

Tested in a dev environnement ... but we should be careful and test this in various setups. (e.g. does this break putty ? etc...)

How to test

This is built on top of #518 - you'll need to apply the migration, make sure you are using the new conf and see if everything works as expected

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :
@alexAubin

This comment has been minimized.

Copy link
Member Author

alexAubin commented Nov 28, 2018

Note that https://cipherli.st/ and https://github.com/arthepsy/ssh-audit (linked by @kitoy30 and @frju365 ) are unhappy about allowing ECDSA keys (and related key exchange algorithms because those are using weak elliptic curves)

Dunno how that may impact clients compatibilities

@alexAubin alexAubin changed the title [enh] Clean and + harden sshd config using Mozilla recommendation [enh] Clean + harden sshd config using Mozilla recommendation Nov 28, 2018

@alexAubin alexAubin referenced this pull request Nov 28, 2018

Closed

[enh] Improve SSHd config / ciphers #436

0 of 4 tasks complete
@zamentur
Copy link
Contributor

zamentur left a comment

LGTM

@kitoy30

This comment has been minimized.

Copy link
Contributor

kitoy30 commented Nov 30, 2018

Thank's for this PR. +1.

@alexAubin alexAubin merged commit 447372d into fix-standardize-sshd-config Dec 3, 2018

0 of 2 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
continuous-integration/travis-ci/push The Travis CI build is in progress
Details

@alexAubin alexAubin deleted the harden-ssh-config branch Dec 3, 2018

alexAubin added a commit that referenced this pull request Dec 6, 2018

[enh] Clean + harden sshd config using Mozilla recommendation (#590)
* Clean sshd_config + harden using Mozilla recommendation
* Order of keys matter, ed25519 is recommended
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment