hardening ssh (debian wheezy)

Thu, 21. May 2015

Categories: en sysadmin Tags: Debian LogJam security SSH Wheezy

LogJam requires some action. (Article in german)

Update (open-)ssh to a recent version (6.6)

$ echo "deb http://ftp.de.debian.org/debian wheezy-backports main" | sudo tee -a /etc/apt/sources.list
$ sudo apt-get -u update
$ sudo apt-get install -t wheezy-backports ssh
$ sudo apt-get autoremove

Harden crypto

$ sudo tee -a /etc/ssh/sshd_config <<EOF_SSH_CFG

# https://stribika.github.io/2015/01/04/secure-secure-shell.html
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

EOF_SSH_CFG
$ sudo /etc/init.d/ssh restart

Keys

Replace host keys, /etc/ssh/sshd_config

Protocol 2
# https://stribika.github.io/2015/01/04/secure-secure-shell.html#server-authentication
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

and

$ cd /etc/ssh
$ sudo rm ssh_host_*key*
$ sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
$ sudo ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
$ sudo /etc/init.d/ssh restart

Resources