Secure Secure Shell

Vector Sigma edited this page Sep 4, 2016 · 18 revisions
Clone this wiki locally

This is the wiki page for my Secure Secure Shell post.

If you know how to configure old OpenSSH versions, different SSH implementations running on various OSes (Linux distros, BSDs other Unix variants, Windows, etc), then please describe them here. The same goes for host specific configuration of popular SSH services. I cannot include every single special case in the main document but I think it is important to have them somewhere. My private environment consists exclusively of up to date OpenSSH versions running on Linux, with a few Dropbear servers for embedded stuff. I don't have the resources to test anything else.

SSH implementations

AbsoluteTelnet extension

As of version 9.84 RC10, AbsoluteTelnet supports the diffie-hellman-group-exchange-sha256 KEX, aes256-ctr cipher, and hmac-sha2-512 MAC.

Support for curve25519 KEX and chacha20 are on the wishlist.

sshd_config snippet:

# Allow only the most secure methods supported by AbsoluteTelnet (as of version 9.84 release candidate 10)
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-512

# Only allow 4096-byte RSA key
HostKey /etc/ssh/ssh_host_rsa_4096_key

Prior versions require a diffie-hillman-group14-sha1 KEX, aes256-ctr cipher, and hmac-sha1 MAC's.

KexAlgorithms diffie-hellman-group14-sha1
Ciphers aes256-ctr
MACs hmac-sha1

-- Rhyven

Chrome ssh extension

The Chrome SSH extension on ChromeBook works with sshd as configured according to the article.

Specifically, sshd_config contains:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKey /media/state/etc/ssh/ssh_host_rsa_key
HostKey /media/state/etc/ssh/ssh_host_ed25519_key

For the server, I use a hardened ssh jump host docker container configured with an sshd_config and the settings shown above.

For the client, I use a ChromeBook with the Chrome SSH extension.

You can test yourself using the repo at https://github.com/jumanjihouse/wormhole.

ConnectBot

ConnectBot 1.8.6-dirty (from F-Droid) needs

MACs hmac-sha1-96
Ciphers aes256-ctr

Earlier builds required even weaker settings. There's a bug open to help get ConnectBot up to snuff for this guide, so please contribute if you can. (The KEX part has been fixed already as a result of that bug.)

Red Hat Enterprise Linux and CentOS

RHEL 5 and newer generate 2048-bit RSA host keys by default.

RHEL 5

RHEL/CentOS 5 uses a very old version of OpenSSH, 4.3p2, which supports very few strong ciphers, does not support SHA-2, and does not support specifying KexAlgorithms (it is hardcoded to diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1). The best you can do is:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-ripemd160

RHEL 6

RHEL 6 uses OpenSSH 5.3p1.

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

RHEL 7

RHEL 7.1 uses OpenSSH 6.6.1p1, including curve25519 and chacha20-poly1305, and can be configured exactly as given in the original post.

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

RHEL 7.0 uses OpenSSH 6.4p1, just a bit too old to have curve25519 or chacha20-poly1305.

HostKey /etc/ssh/ssh_host_rsa_key
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Debian

Debian 7 / wheezy

Debian 7 / wheezy uses OpenSSH 6.0p1

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Debian 7 / wheezy-backports uses OpenSSH 6.6.1p1, see note about curve25519.

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

(note: OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-ha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions.)

Debian 8 / jessie

Debian 8 / jessie uses OpenSSH 6.7p1

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

-- bofhbug

Apache Mina SSHD v0.8 (used by KDEConnect)

ssh_config snippet:

Match user kdeconnect
        KexAlgorithms diffie-hellman-group14-sha1
        HostKeyAlgorithms ssh-dss
        MACs hmac-sha1

PuTTY

The nightly build supports all recommended settings.

Services using SSH

Heroku

Heroku needs HMAC-SHA1 and 1024 bit DH. Use at your own risk.

Host heroku.com
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group1-sha1
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com,hmac-sha1

Github

Github only suports ecdh-sha2-nistp256, diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1. If you have an older version of SSH that does not support ecdh, you'll have to use group14.