[Ach] Settings for OpenSSH - missing client side configuration.
Dariusz Puchalak
Dariusz at Puchalak.net
Tue Jul 15 10:02:19 CEST 2014
Hi,
I just skimed over Applied Crypto Hardening.
Excelent guide! Thanks. :)
I have some remarks:
1. On the OpenSSH part, you missed client side
configuration.
Just as you can specify server side sshd_config
you can also specify client side ssh_config.
I think it's worth including this one too.
So we can enforce good crypto on the client side too.
And it can be a good education, because I have heard many
complains about OpenSSH that were not true
i.e. you cannot choose AES mode
(in putty only - but almost no one knew that they can
do it on openssh).
People take putty shortcommings as OpenSSH problems. :(
In example part of my config file
(can be /etc/ssh/ssh_config and/or ~/.ssh/config)
Host *
StrictHostKeyChecking ask
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
GatewayPorts no
Protocol 2
CheckHostIP yes
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
HostKeyAlgorithms ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
ServerAliveInterval 30
TCPKeepAlive yes
PreferredAuthentications publickey,password
IPQoS lowdelay throughput
It's the default that can be change on per host basis by doing thing like:
Host old_and_buggy
HostName example.com
User scorpius
Port 80
Ciphers aes128-cbc
MACs hmac-sha1
2. HostKeyAlgorithms - I'm not sure about what's the
difference beetwen ssh-rsa-cert-v01 at openssh.com and
ssh-rsa-cert-v00 at openssh.com .
I need to dig more into the specification and source code.
But I still think it's esssential to disable DSA on server
and client too.
3. Why no ECDSA for OpenSSH?
I have read Theory part and
3.5. A note on Elliptic Curve Cryptography,
but I'm not convinced :)
A few more sentences about SSH and ECDSA would be nice,
just like about DSS.
Dariusz
--
"If money is your hope for independence you will never have it.
The only real security that a man will have in this world is a
reserve of knowledge, experience, and ability."
-- Henry Ford
More information about the Ach
mailing list