home June 07, 2018

OpenSSH


Secure OpenSSH Config Reference

OpenSSH is a set of utilities to allow you to connect to a remote machine through an encrypted tunnel. You can use it as a terminal connection or to tunnel any data through a VPN interface. OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.OpenSSH FAQ

Most operating systems come with one version or another of OpenSSH. You may want to make sure you have the latest version on your machine. Check the OpenSSH site for the latest source code. You can also look to the package maintainers of your OS revision to see if they make a premade package for you to install. The directives and options listing in the following config files apply to the latest official OpenSSH release.

SECURITY NOTE: Notice that we have specified the "Ciphers" for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH. AES is the strongest encryption available in openssl and all others are too weak to trust. We are also specifying the "MACs" or Hash-based Message Authentication Code to use. Again, we want the strongest security model available.

Client side ssh config options (/etc/ssh/ssh_config)

This config is for the client side options. You can specify directives here and the client will negotiate them with the server. Only if the server allows them will they will take effect.

#######################################################
###  moneyslow.com  CLIENT  /etc/ssh/ssh_config
#######################################################
Host *
 AddressFamily inet
 CheckHostIP yes
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 Compression no
 ConnectionAttempts 1
 ConnectTimeout 10
 ControlMaster auto
 ControlPath ~/.ssh/master-%r@%h:%p
 EscapeChar ~
 ForwardAgent no
 ForwardX11 no
 ForwardX11Trusted no
 HashKnownHosts yes
 IdentityFile ~/.ssh/identity
 IdentityFile ~/.ssh/id_rsa
 IdentityFile ~/.ssh/id_dsa
 IdentityFile ~/.ssh/id_ecdsa
 IdentitiesOnly yes
 MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
 PermitLocalCommand no
 Port 22
 Protocol 2
 RekeyLimit 1G
 ServerAliveInterval 15
 ServerAliveCountMax 3
 StrictHostKeyChecking ask
 TCPKeepAlive no
 Tunnel no
 TunnelDevice any:any
 VisualHostKey no
#######################################################
###  moneyslow.com  CLIENT  /etc/ssh/ssh_config
#######################################################

Need help setting up a chrooted sftp server? Check out our Chroot'd SFTP server "how to".

Server side sshd config options (/etc/ssh/sshd_config)

These directives are for sshd. Permissions should be "chmod 755". We want to restrict access with the following options to better protect the server.

#######################################################
###  moneyslow.com  SERVER  /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1

#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh 

AllowUsers calomel@10.10.10.3 calomel@192.168.*
AllowGroups calomel

AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes

#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
#
#######################################################
###  moneyslow.com  SERVER  /etc/ssh/sshd_config
#######################################################

For more information about OpenBSD's Pf firewall and HFSC quality of service options check out our PF Config (pf.conf) and PF quality of service HFSC "how to's".

Questions?

Do you have a multi authentication script for OpenSSH ?

Yes we do. Please take a look at our OpenSSH GateKeeper (ssh_gatekeeper.sh) script. You can add a layer of authentication on top of what OpenSSH already provides to drastically increase security.

Do you have any distributed scp and ssh shell scripts ?

Indeed. Take a look at our OpenSSH Distributed SSH shell script. The scripts will allow you to easily automate ssh commands to many ssh machines.

Using OpenSSL to encrypt and decrypt files

Instead of using a special program to encrypt and decrypt files, like password or financial data, you can just use OpenSSL. You can pass any file into OpenSSL and using a password as a key you can encrypt it. The best part is that any OS, be it Linux OpenBSD, NetBSD, MacOSX or even windows and use this method as long as OpenSSL is installed. For example, we have some random file called "calomel". Use the following commands to encrypt and then decrypt this file.

to encrypt (-e):
 openssl aes-256-cbc -a -e -salt -in calomel -out calomel.aes

to decrypt (-d):
 openssl aes-256-cbc -a -d -salt -in calomel.aes -out calomel