Security/Guidelines/OpenSSH: Difference between revisions

Security/Guidelines/OpenSSH (view source)

Revision as of 16:32, 19 January 2015

1,258 bytes added , 19 January 2015

Move configuration information into comments directly, more readable, easier to copy/paste, easier to edit, win/win/win

Gdestuynder

Confirmed users

502

edits

@@ Line 40: / Line 40: @@
 Different versions of OpenSSH support different options which are not always compatible.
 This guide show settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended.
+=== Notes on ciphers and algorithms choice ===
+While recommended by [[Security/Server_Side_TLS]], AES-GCM is not selected by default due to the way it's [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html implemented in OpenSSH] - it allows an attacker to see the packet length.
+When CHACHA20 is not available - and since AES-GCM is [http://2013.diac.cr.yp.to/slides/gueron.pdf much faster] than AES-CTR it can still be considered for servers performing many SCP operations for example. An optional configuration item (commented-out by default) is provided in this case.
+NIST curves (<code>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</code>) are listed for compatibility, but the use of <code>curve25519</code> is [http://safecurves.cr.yp.to/ generally preferred].
+Finally, SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy].
 The various algorithms supported by a particular OpenSSH version can be listed with the following commands:
@@ Line 50: / Line 59: @@
 $ ssh -Q key
 </source>
-=== Ciphers and algorithms choice ===
-While recommended by [[Security/Server_Side_TLS]], AES-GCM is not selected by default due to the way it's [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html implemented in OpenSSH] - it allows an attacker to see the packet length.
-AES-GCM is however [http://2013.diac.cr.yp.to/slides/gueron.pdf much faster] than AES-CTR and can still be considered for servers performing many SCP operations for example.
-NIST curves (<code>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</code>) are listed for compatibility, but the use of <code>curve25519</code> is [http://safecurves.cr.yp.to/ generally preferred].
-Note that SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy].
-=== Miscellaneous settings ===
-* The verbose log level logs user's fingerprints on login. This is necessary in order to have a clear audit track of which key was using to log in.
-* Key regeneration internal is halved from the default. This is a precaution and is optional. 1800 seconds is 30minutes.
-* Password based logins are disabled - only public key based logins are enabled.
-* Root login is not allowed. This is because it's difficult to track which process belongs to which root user. On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. Additionally, only tools such as auditd record the process session id. Using regular users in combination with <code>/bin/su</code> or <code>/usr/bin/sudo</code> ensure a clear audit track.
 == OpenSSH 6.7+ (Most recent) ==
@@ Line 70: / Line 64: @@
 <source>
+# Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
@@ Line 75: / Line 70: @@
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 # If SCP performance is required and clients do not support CHACHA30, consider using AES-GCM instead. This is a security trade-off.
-#Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+#Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes.
 KeyRegenerationInterval 1800
+# Password based logins are disabled - only public key based logins are allowed.
 AuthenticationMethods publickey
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
+# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
 PermitRootLogin No
 </source>
@@ Line 98: / Line 107: @@
 File: <code>/etc/ssh/sshd_config</code>
 <source>
-#Allow keyboard-interactive, note that you will have to ensure OpenSSH cannot authenticate with passwords with PAM.
+# Allow keyboard-interactive.
+# IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
+# "PasswordAuthentication no" is not sufficient!
 RequiredAuthentications2 publickey,keyboard-interactive:skey
 PasswordAuthentication no
 ChallengeResponseAuthentication yes
+# Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
 UseLogin no
 </source>
@@ Line 111: / Line 123: @@
 #%PAM-1.0
 auth       required     pam_sepermit.so
-#WARNING: make sure any password authentication module is disabled. Example: pam_unix.so, or "password-auth", "system-auth", etc.
+# WARNING: make sure any password authentication module is disabled.
+# Example: pam_unix.so, or "password-auth", "system-auth", etc.
 #auth       include      password-auth
-#When using OATH toolkit
+# Options to enable when using OATH toolkit
-auth       requisite     pam_oath.so usersfile=/etc/users.oath digits=6 window=20
+#auth       requisite     pam_oath.so usersfile=/etc/users.oath digits=6 window=20
+# Options to enable when using DuoSecurity
+#auth    sufficient      /lib64/security/pam_duo.so
-#When using DuoSecurity
-auth    sufficient      /lib64/security/pam_duo.so
 account    required     pam_nologin.so
 </source>
@@ Line 126: / Line 141: @@
 <source>
+# Supported HostKey algorithms by order of preference.
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 KexAlgorithms diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512,hmac-sha2-256
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512,hmac-sha2-256
+# KeyRegenerationInternal is halved from the default as a precaution (optional). 1800 seconds is 30 minutes.
 KeyRegenerationInterval 1800
-# Note, RequiredAuthentications2 not work on official OpenSSH 5.3 portable
+# Password based logins are disabled - only public key based logins are allowed.
+RequiredAuthentications2 publickey
+# RequiredAuthentications2 not work on official OpenSSH 5.3 portable.
 # In this is your case, use this instead:
-# PubkeyAuthentication yes
+#PubkeyAuthentication yes
-# PasswordAuthentication no
+#PasswordAuthentication no
-RequiredAuthentications2 publickey
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
+# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
 PermitRootLogin No
 </source>
@@ Line 151: / Line 180: @@
 # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
 HashKnownHosts yes
-# Host keys the client accepts - note that this is ordered
+# Host keys the client accepts - order here is honored by OpenSSH
 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
 </source>
@@ Line 163: / Line 192: @@
 # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to.
 HashKnownHosts yes
-# Host keys the client accepts - note that this is ordered
+# Host keys the client accepts - order here is honored by OpenSSH
 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
@@ Line 169: / Line 198: @@
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 # If you use SCP a lot, you might also consider using AES-GCM for servers not supporting CHACHA20. There is a security trade-off.
-#Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 </source>
 = OpenSSH client keys handling =
 == Generation ==
-Note that ED25519 keys are favored over RSA keys when backward compatibility is not required.
-RSA keys are favored over ECDSA keys when backward compatibility is required, thus, newly generated keys are either ED25519 or RSA (''NOT'' ECDSA or DSA).
 Large key sizes are used as SSH keys are not renewed very often (see also [[Security/Key_Management]]).
 <source code="bash">
+# ED25519 keys are favored over RSA keys when backward compatibility is not required.
+# This is only compatible with OpenSSH 5.7+ and fixed-size (256 bytes).
+$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
+# RSA keys are favored over ECDSA keys when backward compatibility is required, thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
 $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
-# ED25519 keys are only compatible with OpenSSH 5.7+ and fixed-size (256 bytes)
-$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"
 </source>