hardening ssh (debian wheezy)

Thu, 21. May 2015

Categories: en sysadmin Tags: Debian LogJam security SSH Wheezy

LogJam requires some action. (Article in german)

Update (open-)ssh to a recent version (6.6)

1$ echo "deb http://ftp.de.debian.org/debian wheezy-backports main" | sudo tee -aย /etc/apt/sources.list
2$ sudo apt-get -u update
3$ sudo apt-get install -t wheezy-backports ssh
4$ sudo apt-get autoremove

Harden crypto

1$ sudo tee -a /etc/ssh/sshd_config <<EOF_SSH_CFG
2
3# https://stribika.github.io/2015/01/04/secure-secure-shell.html
4KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
5Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
6MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
7
8EOF_SSH_CFG
9$ sudo /etc/init.d/ssh restart

Keys

Replace host keys, /etc/ssh/sshd_config

1Protocol 2
2# https://stribika.github.io/2015/01/04/secure-secure-shell.html#server-authentication
3HostKey /etc/ssh/ssh_host_ed25519_key
4HostKey /etc/ssh/ssh_host_rsa_key

and

1$ cd /etc/ssh
2$ sudo rm ssh_host_*key*
3$ sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
4$ sudo ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
5$ sudo /etc/init.d/ssh restart

Resources