SSHSecure/README.md

<!---
    SSHSecure - a program to harden OpenSSH from defaults
    Copyright (C) 2020  Brent Saner

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
--->
# SSHSecure

## Why?
Compared to something like [`rsh`](https://en.wikipedia.org/wiki/Remote_Shell), SSH (*Secure SHell*) is a vast step ahead in terms of security. Since its birth, it's seen
 functionality increase by leaps and bounds.
 [OpenSSH](https://www.openssh.com/), by far the most deployed SSH implementation, pays special attention to security. However, due to:
 
 * making various compromises for ease of use 
 * unexpected vulnerabilities (are there ever any *expected* vulnerabilities?) such as [Logjam](https://weakdh.org/)
 * those deploying SSH not being cryptographic experts
 * the NSA making a concerted effort to compromise OpenSSH
 * etc.

the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).

This software will harden your OpenSSH security as much as possible to currently known weaknesses.

## How?
This program will generate/modify and replace:

 * Your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
 * The client keys (`~/.ssh/id_*`) for the running user
 * Your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
 * Your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
 * The `ssh` (client) configuration for the running user (`~/.ssh/config`)
 * The SSH DH parameters (typically `/etc/ssh/moduli`)

with much stronger implementations from typical/upstream defaults.

Any and all pre-existing files are backed up before being replaced.

It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies
 them.
 
Additionally, it anonymizes your key. It uses a comment string by default that provides 
no identifying information other than the fact that you are using SSHSecure.
 
It will create backups of any file(s) it replaces and automatically rolls back `sshd` 
configuration changes if it does not pass the syntax check (`sshd -t`) to avoid 
accidentally locking you out.

<!--
The first time you run it, it will quite possibly take a **very** long time. This is 
because it's generating fresh DH parameters, which is a very time-consuming process. 
Subsequent runs will not take as long, however, as checks are put in place to determine
if custom DH parameters have been generated or not yet. If it's running on a GNU/Linux 
system and you have [`haveged`](http://www.issihosts.com/haveged/) installed, that will 
significantly speed up the process (SSHSecure will start it automatically if it isn't
running already).
-->

## FAQ

### Why a binary?
I originally wrote this as a Python script. However, some machines don't have the Python 
interpreter installed and due to the lack of low-level access, I ended up making a lot 
of calls to the shell anyways.
 
I wrote it in Golang because:

* The source would be easily read for auditing purposes
* Golang is, admittedly, incredibly faster at some tasks than Python
* Multiprocessing/multithreading is *incredibly* more simple in Golang than Python
* Building widely-deployable binaries is easier in Golang than C or C++

As much as I like Python, Golang should offer significant improvements.

### How can I contact you?
You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15) 
or email me at `bts [at] square-r00t (dot) net`.

### Is there anything from the _Secure Secure Shell_ document that you don't implement?
Yep. No TOR hidden service ("Traffic analysis resistance"). The system should be 
sufficiently hardened to prevent you from scans yielding anything useful except noisy 
logs, and there's much better options for handling those than running SSH over TOR. It 
[isn't the silver bullet you may think it is](https://restoreprivacy.com/tor/). You are, 
of course, welcome to turn it up yourself but it is advisable to not run SSHSecure in an 
automated fashion in this case as it may revert the changes your `sshd_config`. It'll 
try not to, but it may.
adding GPL 2020-09-18 18:01:16 -04:00			`<!---`
			`SSHSecure - a program to harden OpenSSH from defaults`
			`Copyright (C) 2020 Brent Saner`

			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU General Public License for more details.`

			`You should have received a copy of the GNU General Public License`
			`along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`--->`
			`# SSHSecure`

			`## Why?`
			Compared to something like [`rsh`](https://en.wikipedia.org/wiki/Remote_Shell), SSH (Secure SHell) is a vast step ahead in terms of security. Since its birth, it's seen
starting moduli.c port from OpenSSH 2021-05-04 03:39:43 -04:00			`functionality increase by leaps and bounds.`
			`[OpenSSH](https://www.openssh.com/), by far the most deployed SSH implementation, pays special attention to security. However, due to:`
adding GPL 2020-09-18 18:01:16 -04:00
			`* making various compromises for ease of use`
			`* unexpected vulnerabilities (are there ever any expected vulnerabilities?) such as [Logjam](https://weakdh.org/)`
			`* those deploying SSH not being cryptographic experts`
			`* the NSA making a concerted effort to compromise OpenSSH`
			`* etc.`

			`the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).`

			`This software will harden your OpenSSH security as much as possible to currently known weaknesses.`

			`## How?`
need to finish dh stuff still. 2021-07-03 03:58:06 -04:00			`This program will generate/modify and replace:`
adding GPL 2020-09-18 18:01:16 -04:00
need to finish dh stuff still. 2021-07-03 03:58:06 -04:00			* Your hostkeys (typically `/etc/ssh/ssh_host__key`)
			* The client keys (`~/.ssh/id_*`) for the running user
			* Your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
			* Your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
			* The `ssh` (client) configuration for the running user (`~/.ssh/config`)
			* The SSH DH parameters (typically `/etc/ssh/moduli`)
adding GPL 2020-09-18 18:01:16 -04:00
			`with much stronger implementations from typical/upstream defaults.`

need to finish dh stuff still. 2021-07-03 03:58:06 -04:00			`Any and all pre-existing files are backed up before being replaced.`

adding GPL 2020-09-18 18:01:16 -04:00			`It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies`
			`them.`

updating refs, finished key gen buffer 2020-09-21 01:43:22 -04:00			`Additionally, it anonymizes your key. It uses a comment string by default that provides`
			`no identifying information other than the fact that you are using SSHSecure.`

adding GPL 2020-09-18 18:01:16 -04:00			It will create backups of any file(s) it replaces and automatically rolls back `sshd`
			configuration changes if it does not pass the syntax check (`sshd -t`) to avoid
			`accidentally locking you out.`
all the directives are copied in with their types. working on validators now. 2020-09-27 03:23:58 -04:00
			`<!--`
adding GPL 2020-09-18 18:01:16 -04:00			`The first time you run it, it will quite possibly take a very long time. This is`
			`because it's generating fresh DH parameters, which is a very time-consuming process.`
			`Subsequent runs will not take as long, however, as checks are put in place to determine`
			`if custom DH parameters have been generated or not yet. If it's running on a GNU/Linux`
			system and you have [`haveged`](http://www.issihosts.com/haveged/) installed, that will
			`significantly speed up the process (SSHSecure will start it automatically if it isn't`
			`running already).`
all the directives are copied in with their types. working on validators now. 2020-09-27 03:23:58 -04:00			`-->`
adding GPL 2020-09-18 18:01:16 -04:00
			`## FAQ`

			`### Why a binary?`
need to finish dh stuff still. 2021-07-03 03:58:06 -04:00			`I originally wrote this as a Python script. However, some machines don't have the Python`
updating refs, finished key gen buffer 2020-09-21 01:43:22 -04:00			`interpreter installed and due to the lack of low-level access, I ended up making a lot`
			`of calls to the shell anyways.`
adding GPL 2020-09-18 18:01:16 -04:00
need to finish dh stuff still. 2021-07-03 03:58:06 -04:00			`I wrote it in Golang because:`

			`* The source would be easily read for auditing purposes`
			`* Golang is, admittedly, incredibly faster at some tasks than Python`
			`* Multiprocessing/multithreading is incredibly more simple in Golang than Python`
			`* Building widely-deployable binaries is easier in Golang than C or C++`

			`As much as I like Python, Golang should offer significant improvements.`
updating refs, finished key gen buffer 2020-09-21 01:43:22 -04:00
			`### How can I contact you?`
			`You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15)`
			or email me at `bts [at] square-r00t (dot) net`.

			`### Is there anything from the _Secure Secure Shell_ document that you don't implement?`
			`Yep. No TOR hidden service ("Traffic analysis resistance"). The system should be`
			`sufficiently hardened to prevent you from scans yielding anything useful except noisy`
			`logs, and there's much better options for handling those than running SSH over TOR. It`
			`[isn't the silver bullet you may think it is](https://restoreprivacy.com/tor/). You are,`
			`of course, welcome to turn it up yourself but it is advisable to not run SSHSecure in an`
			automated fashion in this case as it may revert the changes your `sshd_config`. It'll
starting moduli.c port from OpenSSH 2021-05-04 03:39:43 -04:00			`try not to, but it may.`