69 lines
3.3 KiB
Markdown
69 lines
3.3 KiB
Markdown
|
<!---
|
||
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
||
|
|
Copyright (C) 2020 Brent Saner
|
||
|
|
|
||
|
|
This program is free software: you can redistribute it and/or modify
|
||
|
|
it under the terms of the GNU General Public License as published by
|
||
|
|
the Free Software Foundation, either version 3 of the License, or
|
||
|
|
(at your option) any later version.
|
||
|
|
|
||
|
|
This program is distributed in the hope that it will be useful,
|
||
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
|
GNU General Public License for more details.
|
||
|
|
|
||
|
|
You should have received a copy of the GNU General Public License
|
||
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
|
|
--->
|
||
|
|
# SSHSecure
|
||
|
|
|
||
|
|
## Why?
|
||
|
|
Compared to something like [`rsh`](https://en.wikipedia.org/wiki/Remote_Shell), SSH (*Secure SHell*) is a vast step ahead in terms of security. Since its birth, it's seen
|
||
|
|
functionality
|
||
|
|
increase
|
||
|
|
by leaps and bounds. [OpenSSH](https://www.openssh.com/), by far the most deployed SSH implementation, pays special attention to security. However, due to:
|
||
|
|
|
||
|
|
* making various compromises for ease of use
|
||
|
|
* unexpected vulnerabilities (are there ever any *expected* vulnerabilities?) such as [Logjam](https://weakdh.org/)
|
||
|
|
* those deploying SSH not being cryptographic experts
|
||
|
|
* the NSA making a concerted effort to compromise OpenSSH
|
||
|
|
* etc.
|
||
|
|
|
||
|
|
the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).
|
||
|
|
|
||
|
|
This software will harden your OpenSSH security as much as possible to currently known weaknesses.
|
||
|
|
|
||
|
|
## How?
|
||
|
|
This program will generate/replace:
|
||
|
|
|
||
|
|
* your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
|
||
|
|
* the client keys (`~/.ssh/id_*`) for the running user
|
||
|
|
* your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
|
||
|
|
* your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
|
||
|
|
* the `ssh` (client) configuration for the running user (`~/.ssh/config`)
|
||
|
|
* the SSH DH parameters (typically `/etc/ssh/moduli`)
|
||
|
|
|
||
|
|
with much stronger implementations from typical/upstream defaults.
|
||
|
|
|
||
|
|
It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies
|
||
|
|
them.
|
||
|
|
|
||
|
|
It will create backups of any file(s) it replaces and automatically rolls back `sshd`
|
||
|
|
configuration changes if it does not pass the syntax check (`sshd -t`) to avoid
|
||
|
|
accidentally locking you out.
|
||
|
|
|
||
|
|
The first time you run it, it will quite possibly take a **very** long time. This is
|
||
|
|
because it's generating fresh DH parameters, which is a very time-consuming process.
|
||
|
|
Subsequent runs will not take as long, however, as checks are put in place to determine
|
||
|
|
if custom DH parameters have been generated or not yet. If it's running on a GNU/Linux
|
||
|
|
system and you have [`haveged`](http://www.issihosts.com/haveged/) installed, that will
|
||
|
|
significantly speed up the process (SSHSecure will start it automatically if it isn't
|
||
|
|
running already).
|
||
|
|
|
||
|
|
## FAQ
|
||
|
|
|
||
|
|
### Why a binary?
|
||
|
|
I originally wrote this as a python script. However, some machines don't have the python interpreter installed and due to the lack of low-level access, I ended up making a lot
|
||
|
|
of calls to the shell anyways.
|
||
|
|
|
||
|
|
I wrote it in Golang so the source would be easily read for audit purposes.
|