[Ach] Settings for OpenSSH - missing client side configuration.

Dariusz Puchalak Dariusz at Puchalak.net
Tue Jul 15 10:02:19 CEST 2014 

Hi,

I just skimed over Applied Crypto Hardening.
Excelent guide! Thanks. :)

I have some remarks:

1. On the OpenSSH part, you missed client side
configuration.
Just as you can specify server side sshd_config
you can also specify client side ssh_config.

I think it's worth including this one too.
So we can enforce good crypto on the client side too.
And it can be a good education, because I have heard many
complains about OpenSSH that were not true 
i.e. you cannot choose AES mode
(in putty only - but almost no one knew that they can
do it on openssh). 
People take putty shortcommings as OpenSSH problems. :(

In example part of my config file
(can be /etc/ssh/ssh_config and/or ~/.ssh/config)
Host *
        StrictHostKeyChecking ask
        ForwardAgent no
        ForwardX11 no
        ForwardX11Trusted no
        GatewayPorts no
        Protocol 2
        CheckHostIP yes
        Ciphers aes256-ctr,aes128-ctr
        MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
        KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
	HostKeyAlgorithms ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
        ServerAliveInterval 30
        TCPKeepAlive yes
        PreferredAuthentications publickey,password
        IPQoS lowdelay throughput

It's the default that can be change on per host basis by doing thing like:
Host old_and_buggy
        HostName example.com
        User scorpius
        Port 80
        Ciphers aes128-cbc
	MACs hmac-sha1

2. HostKeyAlgorithms - I'm not sure about what's the 
difference beetwen ssh-rsa-cert-v01 at openssh.com and
ssh-rsa-cert-v00 at openssh.com .
I need to dig more into the specification and source code.

But I still think it's esssential to disable DSA on server
and client too.

3. Why no ECDSA for OpenSSH?
I have read Theory part and 
3.5. A note on Elliptic Curve Cryptography,
but I'm not convinced :)
A few more sentences about SSH and ECDSA would be nice,
just like about DSS. 

Dariusz

-- 
 
"If money is your hope for independence you will never have it. 
 The only real security that a man will have in this world is a 
 reserve of knowledge, experience, and ability."
                                                -- Henry Ford

More information about the Ach mailing list