88 lines
4.3 KiB
Markdown
88 lines
4.3 KiB
Markdown
<!---
|
|
SSHSecure - a program to harden OpenSSH from defaults
|
|
Copyright (C) 2020 Brent Saner
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
--->
|
|
# SSHSecure
|
|
|
|
## Why?
|
|
Compared to something like [`rsh`](https://en.wikipedia.org/wiki/Remote_Shell), SSH (*Secure SHell*) is a vast step ahead in terms of security. Since its birth, it's seen
|
|
functionality increase by leaps and bounds.
|
|
[OpenSSH](https://www.openssh.com/), by far the most deployed SSH implementation, pays special attention to security. However, due to:
|
|
|
|
* making various compromises for ease of use
|
|
* unexpected vulnerabilities (are there ever any *expected* vulnerabilities?) such as [Logjam](https://weakdh.org/)
|
|
* those deploying SSH not being cryptographic experts
|
|
* the NSA making a concerted effort to compromise OpenSSH
|
|
* etc.
|
|
|
|
the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).
|
|
|
|
This software will harden your OpenSSH security as much as possible to currently known weaknesses.
|
|
|
|
## How?
|
|
This program will generate/replace:
|
|
|
|
* your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
|
|
* the client keys (`~/.ssh/id_*`) for the running user
|
|
* your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
|
|
* your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
|
|
* the `ssh` (client) configuration for the running user (`~/.ssh/config`)
|
|
* the SSH DH parameters (typically `/etc/ssh/moduli`)
|
|
|
|
with much stronger implementations from typical/upstream defaults.
|
|
|
|
It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies
|
|
them.
|
|
|
|
Additionally, it anonymizes your key. It uses a comment string by default that provides
|
|
no identifying information other than the fact that you are using SSHSecure.
|
|
|
|
It will create backups of any file(s) it replaces and automatically rolls back `sshd`
|
|
configuration changes if it does not pass the syntax check (`sshd -t`) to avoid
|
|
accidentally locking you out.
|
|
|
|
<!--
|
|
The first time you run it, it will quite possibly take a **very** long time. This is
|
|
because it's generating fresh DH parameters, which is a very time-consuming process.
|
|
Subsequent runs will not take as long, however, as checks are put in place to determine
|
|
if custom DH parameters have been generated or not yet. If it's running on a GNU/Linux
|
|
system and you have [`haveged`](http://www.issihosts.com/haveged/) installed, that will
|
|
significantly speed up the process (SSHSecure will start it automatically if it isn't
|
|
running already).
|
|
-->
|
|
|
|
## FAQ
|
|
|
|
### Why a binary?
|
|
I originally wrote this as a python script. However, some machines don't have the python
|
|
interpreter installed and due to the lack of low-level access, I ended up making a lot
|
|
of calls to the shell anyways.
|
|
|
|
I wrote it in Golang so the source would be easily read for auditing purposes.
|
|
|
|
### How can I contact you?
|
|
You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15)
|
|
or email me at `bts [at] square-r00t (dot) net`.
|
|
|
|
### Is there anything from the _Secure Secure Shell_ document that you don't implement?
|
|
Yep. No TOR hidden service ("Traffic analysis resistance"). The system should be
|
|
sufficiently hardened to prevent you from scans yielding anything useful except noisy
|
|
logs, and there's much better options for handling those than running SSH over TOR. It
|
|
[isn't the silver bullet you may think it is](https://restoreprivacy.com/tor/). You are,
|
|
of course, welcome to turn it up yourself but it is advisable to not run SSHSecure in an
|
|
automated fashion in this case as it may revert the changes your `sshd_config`. It'll
|
|
try not to, but it may.
|