|
|
Zeile 1: |
Zeile 1: |
| Based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
| |
|
| |
|
| === Server configuration ===
| |
|
| |
| Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom:
| |
|
| |
| <pre>
| |
| # SSH hardening, see https://wiki.fsinf.at/wiki/SSH-Hardening
| |
|
| |
| # Disable SSHv1
| |
| Protocol 2
| |
|
| |
| # Only allow Public Key Authentication
| |
| PubkeyAuthentication yes
| |
| PasswordAuthentication no
| |
| ChallengeResponseAuthentication no
| |
|
| |
| # Only allow users in the "users" group (no system users!).
| |
| # NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to
| |
| # automatically add new non-system users to a group.
| |
| AllowGroups users
| |
|
| |
| # Don't forget to remove HostKey directives above
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
| |
| </pre>
| |
|
| |
| ... and execute:
| |
|
| |
| cd /etc/ssh/
| |
| rm ssh_host_*
| |
| ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
| |
| ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
| |
|
| |
| ===== restart server =====
| |
|
| |
| When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:
| |
|
| |
| systemctl restart sshd
| |
|
| |
| === Client configuration ===
| |
|
| |
| On top of your <code>~/.ssh/config</code>, add:
| |
|
| |
| Host *
| |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
| |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
| |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
| |
|
| |
| Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).
| |
|
| |
| If possible, you can also regenerate your own SSH keys:
| |
|
| |
| ssh-keygen -t ed25519 -o -a 100
| |
| ssh-keygen -t rsa -b 4096 -o -a 100
| |
|
| |
| '''WARNING:''' This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.
| |
|
| |
| === Sources ===
| |
| * https://cipherli.st/
| |
| * '''old, from 2015:''' https://stribika.github.io/2015/01/04/secure-secure-shell.html
| |
|
| |
| [[Kategorie:FOSS]]
| |
| [[Kategorie:Linux]]
| |