|
@@ -0,0 +1,158 @@
|
|
1
|
+---
|
|
2
|
+date: 2016-10-18
|
|
3
|
+thumbnail: /res/images/ssh/openssh.thumb.png
|
|
4
|
+title: Shoring up SSHd configuration
|
|
5
|
+strapline: Down with weak algorithms!
|
|
6
|
+url: /2016/10/18/shoring-up-sshd/
|
|
7
|
+---
|
|
8
|
+<div class="image right">
|
|
9
|
+ <img src="/res/images/ssh/openssh.png" alt="OpenSSH logo">
|
|
10
|
+</div>
|
|
11
|
+
|
|
12
|
+I recently came across a useful tool on GitHub called
|
|
13
|
+[ssh-audit](https://github.com/arthepsy/ssh-audit). It's a small Python script
|
|
14
|
+that connects to an SSH server, gathers a bunch of information, and then
|
|
15
|
+highlights any problems it has detected. The problems it reports range from
|
|
16
|
+potentially weak algorithms right up to know remote code execution
|
|
17
|
+vulnerabilities.
|
|
18
|
+
|
|
19
|
+<!--more-->
|
|
20
|
+
|
|
21
|
+This is the kind of output you get when running ssh-audit. In this particular
|
|
22
|
+example, I'm looking at GitHub's SSH server and have filtered the output to
|
|
23
|
+just warnings and failures:
|
|
24
|
+
|
|
25
|
+<img src="/res/images/ssh/ssh-audit-github.png" alt="ssh-audit output">
|
|
26
|
+
|
|
27
|
+GitHub's a bit of a special case, as they're trying to cope with scores of
|
|
28
|
+developers pushing code: they can't disable weaker algorithms without also
|
|
29
|
+stopping lots of people being able to use their service. Still, from the
|
|
30
|
+output you can see that ssh-audit has spotted a known vulnerability
|
|
31
|
+([CVE-2016-076](http://cve.circl.lu/cve/CVE-2016-0739)) and has a lot to
|
|
32
|
+say about the various types of supported algorithms.
|
|
33
|
+
|
|
34
|
+### Background: crypto algorithms used by SSH
|
|
35
|
+
|
|
36
|
+Establishing an SSH connection is a moderately complex endeavour, and various
|
|
37
|
+parts involve the use of a number of different cryptographic algorithms:
|
|
38
|
+
|
|
39
|
+The first such algorithm is the *key exchange algorithm*. This is the process
|
|
40
|
+by which the client and the server [agree on a shared key](https://en.wikipedia.org/wiki/Key-agreement_protocol)
|
|
41
|
+that will be used later. Next comes the *host-key algorithm*;
|
|
42
|
+this is how the server proves its identity to the client. Most SSH users
|
|
43
|
+will be familiar with warnings like the following:
|
|
44
|
+
|
|
45
|
+{{< highlight text >}}
|
|
46
|
+$ ssh server.example.com
|
|
47
|
+The authenticity of host 'server.example.com (11.22.33.444)' can't be established.
|
|
48
|
+ED25519 key fingerprint is SHA256:rPVMho1fhEkJqvgce/8iAl353dX5QkGT9F3uCFndsa.
|
|
49
|
+Are you sure you want to continue connecting (yes/no)?
|
|
50
|
+{{< / highlight >}}
|
|
51
|
+
|
|
52
|
+The warning means that the SSH client doesn't recognise the server's key, and
|
|
53
|
+is asking the user to confirm it. If the key changes later, the SSH client
|
|
54
|
+will refuse to connect. In the warning above you can see the algorithm used
|
|
55
|
+by the server was `ED25519`.
|
|
56
|
+
|
|
57
|
+Next up is the *encryption algorithm*, which handles actually encrypting the
|
|
58
|
+data sent over the connection. Finally comes the *message authentication code
|
|
59
|
+algorithm*, commonly referred to as 'mac'. The mac algorithm is effectively
|
|
60
|
+responsible for signing each message as a proof that it came from the other
|
|
61
|
+party.
|
|
62
|
+
|
|
63
|
+### Following the recommendations
|
|
64
|
+
|
|
65
|
+ssh-audit's recommendations are pretty easy to follow. It points and shouts
|
|
66
|
+at a particular algorithm, and you configure SSHd to not allow it. This is
|
|
67
|
+a snippet from my new SSHd config, which gets no complaints from ssh-audit:
|
|
68
|
+
|
|
69
|
+{{< highlight text >}}
|
|
70
|
+HostKey /etc/ssh/ssh_host_rsa_key
|
|
71
|
+HostKey /etc/ssh/ssh_host_ed25519_key
|
|
72
|
+
|
|
73
|
+KexAlgorithms curve25519-sha256@libssh.org
|
|
74
|
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
75
|
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
|
76
|
+{{< / highlight >}}
|
|
77
|
+
|
|
78
|
+What's more interesting is the reasoning behind some of the algorithms removed.
|
|
79
|
+The `ecdh-sha2-nistp` series of key exchange algorithms are subject to a
|
|
80
|
+sidechannel attack described [in a paper in 2014](https://eprint.iacr.org/2014/161.pdf).
|
|
81
|
+Some people are also concerned about the involvement of NIST, and the
|
|
82
|
+potential for backdoors. Various other key exchange algorithms
|
|
83
|
+use too small a number of bits in the key exchange (e.g.
|
|
84
|
+`diffie-hellman-group1-sha1`, which uses 1024). Others still use known-bad hash
|
|
85
|
+algorithms (e.g. `diffie-hellman-group14-sha1`, which uses an acceptable 2048
|
|
86
|
+bit modulus, but relies on SHA1 hashes). ssh-audit only treats the use of SHA1
|
|
87
|
+as a warning, but there's no compelling reason to keep it around if you're
|
|
88
|
+using remotely modern clients to connect. Similarly the host-key DSA algorithm
|
|
89
|
+uses a 1024 bit key, so should be disabled.
|
|
90
|
+
|
|
91
|
+Many of the supported encryption algorithms use basically-broken algorithms
|
|
92
|
+(`3des-cbc`, `arcfour`, for example). Some of the remaining are block ciphers
|
|
93
|
+with small block sizes, which makes them weak (e.g. `blockfish-cbc` uses a
|
|
94
|
+block size of 64 bits).
|
|
95
|
+
|
|
96
|
+Many of these concerns also apply to mac algorithms (e.g. eliminating
|
|
97
|
+`hmac-md5`, `hmac-sha1-etm@openssh.com`, etc, as they use weak hash algos).
|
|
98
|
+Of particular note, OpenSSH supports the `hmac-ripemd160` and
|
|
99
|
+`hmac-ripemd160-etm@openssh.com` algorithms. RIPEMD160 isn't that common but,
|
|
100
|
+like SHA1, is considered to be weak. One other concern with mac algorithms is
|
|
101
|
+the order in which the encryption and mac attachment are performed.
|
|
102
|
+Encrypt-then-mac is the preferred way of doing it (i.e., the message is
|
|
103
|
+encrypted, then a MAC of the ciphertext is attached). The default used in SSH
|
|
104
|
+is encrypt-and-mac, where the mac of the *plaintext* is attached after
|
|
105
|
+encryption. Attaching the plaintext mac potentially leaks information (a mac
|
|
106
|
+is designed to provide integrity, not confidentiality, after all). The
|
|
107
|
+encrypt-then-mac algorithms are indicated by the `-etm` suffix.
|
|
108
|
+
|
|
109
|
+### Other changes
|
|
110
|
+
|
|
111
|
+In addition to the ssh-audit inspired changes, I took the time to review the
|
|
112
|
+rest of my standard SSH configuration. The config touches on a few areas; I'm
|
|
113
|
+only going to highlight a couple of them:
|
|
114
|
+
|
|
115
|
+{{< highlight diff >}}
|
|
116
|
+ PubkeyAuthentication yes
|
|
117
|
+ RhostsRSAAuthentication no
|
|
118
|
+ HostbasedAuthentication no
|
|
119
|
+ ChallengeResponseAuthentication no
|
|
120
|
+ PasswordAuthentication no
|
|
121
|
+{{< / highlight >}}
|
|
122
|
+
|
|
123
|
+Here all authentication methods other than public key are disabled. A
|
|
124
|
+decent key (used in combination with good crypto algorithms!) is drastically
|
|
125
|
+harder to brute force than a very good password. It's also less prone to
|
|
126
|
+accidentally being copied into the wrong place, provided to the wrong server,
|
|
127
|
+etc.
|
|
128
|
+
|
|
129
|
+{{< highlight diff >}}
|
|
130
|
+- UsePrivilegeSeparation yes
|
|
131
|
++ UsePrivilegeSeparation sandbox
|
|
132
|
+{{< / highlight >}}
|
|
133
|
+
|
|
134
|
+Switching `UsePrivilegeSeparation` from 'yes' to 'sandbox' tells OpenSSH to
|
|
135
|
+employ kernel sandbox mechanisms on the unprivileged process. This adds another
|
|
136
|
+layer of defence in case there's a severe exploit in OpenSSH itself.
|
|
137
|
+
|
|
138
|
+### An unexpected side effect
|
|
139
|
+
|
|
140
|
+After reconfiguring OpenSSH, all of my servers stopped reporting SSH brute
|
|
141
|
+force attempts. Every day prior to the change saw hundreds of connections and,
|
|
142
|
+after rate limiting and automatic banning blocked a fair chunk, about two dozen
|
|
143
|
+unsuccessful login attempts. With the new algorithm selections in place, there
|
|
144
|
+were still hundreds of connections, but no failed login attempts at all. A
|
|
145
|
+closer look at the logs showed this:
|
|
146
|
+
|
|
147
|
+{{< highlight text >}}
|
|
148
|
+fatal: Unable to negotiate with 1.2.3.4 port 55025:
|
|
149
|
+ no matching key exchange method found. Their offer:
|
|
150
|
+ diffie-hellman-group14-sha1,
|
|
151
|
+ diffie-hellman-group-exchange-sha1,
|
|
152
|
+ diffie-hellman-group1-sha1
|
|
153
|
+{{< / highlight >}}
|
|
154
|
+
|
|
155
|
+Apparently not a single one of the clients trying to bruteforce their way in
|
|
156
|
+supported the one key exchange algorithm I now allow. I guess at some point
|
|
157
|
+they'll be updated with a modern crypto stack, but until then it's going to be
|
|
158
|
+oddly peaceful...
|