Since OpenSSH 6.x came out, a lot of new ciphers where introduced. I was wondering, which ones where the best and what I should use, and I read a few articles on the internet to find out.
I’m certianly not a cryptographer, so if you have any suggestions howto further improve the configuration below, feel free to contact me.
As a general statement, one should avoid ECDSA and use Ed25519 instead, and due to the fixed
key length of DSA that
ssh-keygen uses, DSA should also be avoided. RSA keys should be at least
2048 bits long, perhaps 4096 bits is the better choice.
Note: Most of the settings covered in this post are incompatible with openssh-5.x. Consider upgrading!
Availablility of openssh-6.x
- Ubuntu 14.04 ships with openssh-6.6
- Archlinux ships with newest openssh, due to its rolling release package management
- MacOS Mavericks ships with openssh-6.2, you can install openssh-6.6 using Homebrew
- Debian Wheezy ships openssh-6.0 (Note: Some covered settings are not compatible with OpenSSH < 6.4)
- RHEL 5.x ships openssh-5.4 :(
You can configure your ssh to prefer good ciphers on both, the client and the server side.
Securing the ssh client configuration
There’s two files you can configure your ssh client with
/etc/ssh/ssh_config(Global configuration, for all users)
~/.ssh/config(Your users configuration)
Place the configuration for all hosts at the bottom of the file, and override this default settings with entries for individual hosts/networks with entries placed above (This is the way how the configuration file is read).
So we should start with settings for individual hosts. Here’s the settings I use for Github, as Github doesn’t support recent ciphers unfortunately :(
1 2 3 4 5 6
In the same way, you can add cipher (as well as other) specifications for other hosts, e.g.:
1 2 3 4 5 6
And finally, here’s the global defaults, using only secure ciphers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Server side config resides in
/etc/ssh/sshd_config. I’m mostly covering the security/cipher related
configuration settings here. Basically, the configuration resembles the client configuration for
most of the settings.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Ruby net/ssh library
There best workaround I found was overriding the
SSH_AUTH_SOCK variable when using those programs,
resulting in ignoring the unknown keys in ssh-agent:
OpenSSH versions < 6.x
When dealing with OpenSSH clients/servers < 6.x, you might add more exceptions into your
sshd_config. The settings I use for Github above might be a good starting
ssh -v usually gives good hints which ciphers you need to enable.
Chef sshd cookbook
If you want to deploy ssh configurations for multiple hosts, you might want to have a look on my sshd cookbook for Chef.