SSH Protocol version 1 is insecure and must not be used anymore. Restrict SSH client configuration to ensure only version 2 is used.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2abfae6d1..b36909f85 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,6 +5,9 @@ Host * # disable Roaming as it is known to be vulnerable UseRoaming no
+ # only use version 2 of SSH protocol + Protocol 2 + # only use secure crypto algorithm KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
By default, entries in ~/.ssh/known_hosts disclosure on which servers a user as access to, allowing detailled attack against these servers. Depending on the affected infrastructure, this might be a privacy problem, too.
Force SSH to hash new entries in known_hosts (existing ones will not be converted) to avoid permission disclosure.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index b36909f85..9f7121c76 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -33,4 +33,7 @@ Host * # ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password
+ # hash entries in ~/.ssh/known_hosts file to avoid permission disclosure + HashKnownHosts yes + # EOF
SSH clients can set a preference for server host keys. To achive best security and performance, ED25519 is preferred over ECDSA (also secure, but a bit bigger and some of them use ECC curves from non-trustworthy sources) which is preferred over RSA.
Since ED25519 keys are smaller and need less CPU time on both client and server, this also achives a better performance.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 9f7121c76..462f2f1a0 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -36,4 +36,7 @@ Host * # hash entries in ~/.ssh/known_hosts file to avoid permission disclosure HashKnownHosts yes
+ # prefer server host keys in different order (ED25519, ECDSA, RSA) + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ssh-rsa + # EOF
-
Peter Müller