OpenSSH Security

The configuration of SSL protocols and ciphers on web servers has been the done thing for some time now. It is often overlooked that other services can also be configured in this way, even though a large number services offer this option. A good example of this is the SSH server OpenSSH.

SSH is a widely used protocol and most servers, for example, also still offer DSA host keys, which, however, have not been considered to be safe for quite some time. This article is intended to demonstrate how the configuration of OpenSSH server and client can be improved. The cipher suite and other parameters are also adjusted. Afterwards, the cipher suite may have to be specifically adjusted when connecting to an older server, which does not support any of the ciphers in the cipher suite. In the cipher suite, all NIST curves are purposely deactivated and Elliptical curves by Daniel J. Bernstein are activated. A current list of all possible ciphers and algorithms is available in the man page of ssh_config or can be retrieved using the ssh -Q <cipher|key|kex|mac> command.

OpenSSH Server

In addition to RSA, current distributions (tested with CentOS 7 and Debian Jessie) also support Ed25519 keys. If Ed25519 keys are not yet supported, the corresponding line should simply be deleted. The DSA host keys should always be deactivated, as they are considered unsafe.

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

If already supported, the following parameters can also be set:

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
FingerprintHash sha256
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

Not all of the above-mentioned parameters and arguments are already available in OpenSSH 6.6. The corresponding options, depending on the version, simply have to be removed accordingly.

OpenSSH Client

Current clients (CentOS 7 and Debian Jessie) should understand the following configuration. As clients are also frequently used to access older servers (or special devices such as network hardware), certain options such as Ciphers, KexAlgorithms or MACs may also need to be adapted.

Host *
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
FingerprintHash sha256
HostbasedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

Depending on the version installed, not all of the above-mentioned parameters and arguments are functional. The above-listed configuration was created with OpenSSH 7.4p1.

If a connection is made to an older SSH server which does not support the options, the output looks approximately as follows:

Unable to negotiate with SERVER port 22: no matching MAC found. Their offer: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

This can, for example, be resolved by calling up ssh with the option -o MACs=hmac-sha1 or by specifying the corresponding parameters for this sever in the configuration.

Tests

A tool called ssh-audit is available to test SSH servers. All the above-mentioned SSH server parameters were verified with this tool and partially expanded. An output can look similar to the following:

# general
(gen) banner: SSH-2.0-OpenSSH_7.4
(gen) software: OpenSSH 7.4
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73

# host-key algorithms
(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9.
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2

# algorithm recommendations (for OpenSSH 7.4)
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append
(rec) +aes128-gcm@openssh.com -- enc algorithm to append
(rec) +umac-128-etm@openssh.com -- mac algorithm to append

The last section, which provides additional recommendations, is particularly relevant here.