OpenSSHd Security Config Checker
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE.txt
README.md
sshdcc

README.md

OpenSSHd Security Config Checker

About

SSHDCC can check your OpenSSH server configuration file for security improvements. This can be done either on a live system or remotely.

Requirements

  • OpenSSH server configuration
  • Tcl version 8.6 (or later)

Example usage

Simple first check:

$ ./sshdcc
------------------------------------------------------------------------------
This is OpenSSHd Security Config Checker 0.1
  - (c) 2018 SektionEins GmbH / Ben Fuhrmannek - https://sektioneins.de/
  - download -> https://github.com/sektioneins/sshdcc
running on Darwin 17.6.0 x86_64 with Tcl 8.6 with TTY
started at 2018-07-03 13:52:12
------------------------------------------------------------------------------
additional live system checks are enabled
NOTE: No defaults were loaded. For better results, please specify either -d or
-dc. See -h for more help.
scanning file /etc/ssh/sshd_config

## RESULTS ##

(1) [NOTICE] extra environment variable accepted by pattern: LANG
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(2) [NOTICE] extra environment variable accepted by pattern: LC_*
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

done.

Check current system, using ssh defaults as reference. Defaults vary for different SSH versions, so they are not included in the tool. The command 'sshd -f /dev/null -T' prints out the running version's default configuration.

./sshdcc -dc0
------------------------------------------------------------------------------
This is OpenSSHd Security Config Checker 0.1
  - (c) 2018 SektionEins GmbH / Ben Fuhrmannek - https://sektioneins.de/
  - download -> https://github.com/sektioneins/sshdcc
running on Darwin 17.6.0 x86_64 with Tcl 8.6 with TTY
started at 2018-07-03 13:54:50
------------------------------------------------------------------------------
additional live system checks are enabled
loading defaults from command sudo sshd -f /dev/null -T
Password: <enter your password for sudo here>
scanning file /etc/ssh/sshd_config

## RESULTS ##

(1) [WARNING] login via any authentication method is allowed
    #> SYSTEM DEFAULT: authenticationmethods any
    It is usually a good idea to restrict authentication methods to those
    actually required, e.g. 'publickey'. Please change this setting.

(2) [NOTICE] using default cipher list
    #> SYSTEM DEFAULT: ciphers
    chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    Depending on the version, SSH's default cipher list may contain really old
    ciphers, likely for compatibility with older versions. Try 'ssh -Q cipher'
    and choose current and secure ciphers as suitable.

(3) [NOTICE] login via password is allowed
    #> SYSTEM DEFAULT: passwordauthentication yes
    Public key based authentication methods are considered much more secure.
    Unless your configuration contains some kind of one-time-password, e.g. via
    PAM, this setting should be changed to 'no'.

(4) [NOTICE] extra environment variable accepted by pattern: LANG
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(5) [NOTICE] extra environment variable accepted by pattern: LC_*
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(6) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: pubkeyacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(7) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostkeyalgorithms
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(8) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostbasedacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(9) [INFO] using default list of key exchange algorithms
    #> SYSTEM DEFAULT: kexalgorithms
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
    The default may be perfectly fine for you. Otherwise, please check 'ssh -Q
    kex' for a list of available algorithms.

(10) [INFO] using default list of MAC algorithms
    #> SYSTEM DEFAULT: macs
    umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    This is most likely ok. Check out 'ssh -Q mac' for a list of available
    algorithms to choose from.

done.

Now, let's check a remote system, and save the results as CSV file:

$ ssh remote
remote$ sudo sshd -f /dev/null -T >defaults.conf
remote$ exit
$ scp remote:defaults.conf .
...
$ scp /etc/ssh/sshd_config .
$ ./sshdcc -f sshd_config -d defaults.conf -ns -csv results.csv