SSHSecure - a program to harden OpenSSH from defaults
Copyright (C) 2020 Brent Saner
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
--->
# SSHSecure
## Why?
Compared to something like [`rsh`](https://en.wikipedia.org/wiki/Remote_Shell), SSH (*Secure SHell*) is a vast step ahead in terms of security. Since its birth, it's seen
* unexpected vulnerabilities (are there ever any *expected* vulnerabilities?) such as [Logjam](https://weakdh.org/)
* those deploying SSH not being cryptographic experts
* the NSA making a concerted effort to compromise OpenSSH
* etc.
the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).
This software will harden your OpenSSH security as much as possible to currently known weaknesses.
## How?
This program will generate/replace:
* your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
* the client keys (`~/.ssh/id_*`) for the running user
* your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
* your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
* the `ssh` (client) configuration for the running user (`~/.ssh/config`)
* the SSH DH parameters (typically `/etc/ssh/moduli`)
with much stronger implementations from typical/upstream defaults.
It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies