|
@@ -1,18 +1,20 @@
|
1
|
1
|
---
|
2
|
2
|
date: 2016-10-18
|
3
|
|
-thumbnail: /res/images/ssh/openssh.thumb.png
|
4
|
3
|
title: Shoring up SSHd configuration
|
5
|
|
-strapline: Down with weak algorithms!
|
6
|
|
-url: /2016/10/18/shoring-up-sshd/
|
7
|
|
-image: /res/images/ssh/openssh.png
|
8
|
4
|
description: Tools and suggestions for improving the security of SSHd by disabling weak algorithms and modern config tweaks.
|
9
|
5
|
area: security
|
|
6
|
+url: /2016/10/18/shoring-up-sshd/
|
|
7
|
+
|
|
8
|
+resources:
|
|
9
|
+ - src: openssh.png
|
|
10
|
+ name: The OpenSSH project logo
|
|
11
|
+ params:
|
|
12
|
+ default: true
|
|
13
|
+ - src: ssh-audit-github.png
|
|
14
|
+ name: Output of ssh-audit pointing at GitHub's SSH servers
|
10
|
15
|
---
|
11
|
16
|
|
12
|
|
-<figure class="left">
|
13
|
|
- <img src="/res/images/ssh/openssh.png" alt="OpenSSH logo">
|
14
|
|
- <figcaption>The OpenSSH project logo</figcaption>
|
15
|
|
-</figure>
|
|
17
|
+{{< figure "left" "The OpenSSH project logo" >}}
|
16
|
18
|
|
17
|
19
|
I recently came across a useful tool on GitHub called
|
18
|
20
|
[ssh-audit](https://github.com/arthepsy/ssh-audit). It's a small Python script
|
|
@@ -27,7 +29,7 @@ This is the kind of output you get when running ssh-audit. In this particular
|
27
|
29
|
example, I'm looking at GitHub's SSH server and have filtered the output to
|
28
|
30
|
just warnings and failures:
|
29
|
31
|
|
30
|
|
-<img src="/res/images/ssh/ssh-audit-github.png" alt="ssh-audit output">
|
|
32
|
+{{< img "Output of ssh-audit pointing at GitHub's SSH servers" >}}
|
31
|
33
|
|
32
|
34
|
GitHub's a bit of a special case, as they're trying to cope with scores of
|
33
|
35
|
developers pushing code: they can't disable weaker algorithms without also
|
|
@@ -93,8 +95,8 @@ as a warning, but there's no compelling reason to keep it around if you're
|
93
|
95
|
using remotely modern clients to connect. Similarly the host-key DSA algorithm
|
94
|
96
|
uses a 1024 bit key, so should be disabled.
|
95
|
97
|
|
96
|
|
-Many of the supported encryption algorithms use basically-broken algorithms
|
97
|
|
-(`3des-cbc`, `arcfour`, for example). Some of the remaining are block ciphers
|
|
98
|
+Many of the rejected encryption algorithms use basically-broken algorithms
|
|
99
|
+(`3des-cbc` and `arcfour` for example). Some of the remaining are block ciphers
|
98
|
100
|
with small block sizes, which makes them weak (e.g. `blockfish-cbc` uses a
|
99
|
101
|
block size of 64 bits).
|
100
|
102
|
|