chr4

Devops. I've never asked for this.

Howto secure openssh-6.x

Since OpenSSH 6.x came out, a lot of new ciphers where introduced. I was wondering, which ones where the best and what I should use, and I read a few articles on the internet to find out.

I’m certianly not a cryptographer, so if you have any suggestions howto further improve the configuration below, feel free to contact me.

As a general statement, one should avoid ECDSA and use Ed25519 instead, and due to the fixed key length of DSA that ssh-keygen uses, DSA should also be avoided. RSA keys should be at least 2048 bits long, perhaps 4096 bits is the better choice.

Note: Most of the settings covered in this post are incompatible with openssh-5.x. Consider upgrading!

Availablility of openssh-6.x

  • Ubuntu 14.04 ships with openssh-6.6
  • Archlinux ships with newest openssh, due to its rolling release package management
  • MacOS Mavericks ships with openssh-6.2, you can install openssh-6.6 using Homebrew
  • Debian Wheezy ships openssh-6.0 (Note: Some covered settings are not compatible with OpenSSH < 6.4)
  • RHEL 5.x ships openssh-5.4 :(

You can configure your ssh to prefer good ciphers on both, the client and the server side.

Securing the ssh client configuration

There’s two files you can configure your ssh client with

  • /etc/ssh/ssh_config (Global configuration, for all users)
  • ~/.ssh/config (Your users configuration)

Place the configuration for all hosts at the bottom of the file, and override this default settings with entries for individual hosts/networks with entries placed above (This is the way how the configuration file is read).

So we should start with settings for individual hosts. Here’s the settings I use for Github, as Github doesn’t support recent ciphers unfortunately :(

1
2
3
4
5
6
Host github.com
  # Github doesn't support decent ciphers, using the best available
  Ciphers       aes256-ctr
  MACs          hmac-sha2-512
  KexAlgorithms diffie-hellman-group14-sha1
  IdentityFile  ~/.ssh/id_rsa

In the same way, you can add cipher (as well as other) specifications for other hosts, e.g.:

1
2
3
4
5
6
# This is a host with OpenSSH < 6.4
Host myoldhost.com
  User              katie
  HostKeyAlgorithms ssh-rsa
  Ciphers           aes256-ctr
  MACs              hmac-sha2-512

And finally, here’s the global defaults, using only secure ciphers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Host *
  # Use only secure ciphers
  # Never use ECDSA/DSA, prefer Ed25519, use RSA as fallback
  # In case you need to support openssh-server versions < 6.4,
  # you need to add ssh-rsa, aes256-ctr and hmac-sha2-512 :(
  #
  # Update 2015-08-14: Remove ssh-rsa-cert-v00@openssh.com, was deprecated by openssh-7.0
  HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com
  Ciphers           chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
  MACs              hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
  KexAlgorithms     curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

  # Prefer Ed25519 over RSA, never use DSA/ECDSA
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_rsa

  # Display randomart images of hostkeys
  VisualHostKey yes

Securing openssh-server

Server side config resides in /etc/ssh/sshd_config. I’m mostly covering the security/cipher related configuration settings here. Basically, the configuration resembles the client configuration for most of the settings.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Using a non-standard ssh port is just security by obscurity
# Port 22

# In general, please use pub/priv authentication instead of passwords
PasswordAuthentication no

# Speedup login process on machines that have no proper DNS settings, protect
# privacy, no real security drawback
UseDNS no

# Use only secure ciphers
# Never use ECDSA/DSA, prefer Ed25519, use RSA as fallback
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Add aes256-ctr for compatibility with older clients
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

# Add hmac-sha2-512 for compatibility with older clients
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Issues

Ruby net/ssh library

The Ruby net/ssh library cannot deal with the new ciphers yet. I tried to fix the library, but couldn’t quite fix all the issues. Please see this pull request, and feel free to contribute!

Popular programs using this library are among others Vagrant and knife ssh.

There best workaround I found was overriding the SSH_AUTH_SOCK variable when using those programs, resulting in ignoring the unknown keys in ssh-agent:

1
SSH_AUTH_SOCK='' vagrant up

OpenSSH versions < 6.x

When dealing with OpenSSH clients/servers < 6.x, you might add more exceptions into your ssh_config resp. sshd_config. The settings I use for Github above might be a good starting point. ssh -v usually gives good hints which ciphers you need to enable.

Chef sshd cookbook

If you want to deploy ssh configurations for multiple hosts, you might want to have a look on my sshd cookbook for Chef.