Aus Free Software
Zur Navigation springen Zur Suche springen

SSH-Hardening, 2015-01-10, based on (with a stripped down list of Ciphers and MACs)


On Debian Testing (= Jessie) and Ubuntu 14.04 (= Trusty) you don't have to do anything)

On Debian Stable (= Wheezy):

echo "deb wheezy-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -t wheezy-backports install openssh-server

On Ubuntu 12.04 (= Precise): To lazy and/or incompetent for backports.

Server configuration


Remove all HostKey directives in /etc/ssh/sshd_config, then append at the bottom:

# SSH hardening, see

# Disable SSHv1
Protocol 2

# Only allow Public Key Authentication
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

# Only allow users in the "users" group (no system users!).
# NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to 
# automatically add new non-system users to a group.
AllowGroups users
# Don't forget to remove HostKey directives above
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

... and execute:

 cd /etc/ssh/
 rm ssh_host_*
 ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
 ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""

restart server
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong: /etc/init.d/ssh restart

Client configuration

On top of your ~/.ssh/config, add: Host * KexAlgorithms,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 Ciphers,,aes256-ctr MACs,,,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care). If possible, you can also regenerate your own SSH keys: ssh-keygen -t ed25519 -o -a 100 ssh-keygen -t rsa -b 4096 -o -a 100 WARNING: This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.