On Tue, 2015-01-06 at 18:52 +0200, Vasil Kolev wrote: > - get openssh to generate 4096-bit RSA keys by default; ... and disable DSA and RSA1 keys, which is possible if you name all other "default" key explicitly in the config, like: sshd_config: HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_rsa_key #Note: SSH Version 2 DSA host keys are implicitly disabled. ##HostKey /etc/ssh/ssh_host_dsa_key #Note: SSH Version 1 RSA host keys are implicitly disabled. ##HostKey /etc/ssh/ssh_host_key ssh_config: IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ecdsa IdentityFile ~/.ssh/id_rsa #Note: SSH Version 2 DSA identities are implicitly disabled. #IdentityFile ~/.ssh/id_dsa #Note: SSH Version 1 RSA identities are implicitly disabled. #IdentityFile ~/.ssh/identity > - increase the size of the DH modulus to 4096; That only makes really sense if diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 are disabled (which they should be anyway), since these have fixed size groups of 1024 and 2048 bits. For DH-GEX, one can easily allow only more secure groups, simply by removing all smaller ones from /etc/ssh/moduli This unfortunately works only for the server side. For the client side OpenSSH has a hard coded min/preferred/max DH group size, with too low min, and too low max. See: https://bugzilla.mindrot.org/show_bug.cgi?id=2303 Also note, if you completely empty /etc/ssh/moduli, the DH-GEX will again fall back to some hardcoded 2048bit only DH group: https://bugzilla.mindrot.org/show_bug.cgi?id=2302 And perhaps see also: https://bugzilla.redhat.com/show_bug.cgi?id=1010607 https://bugzilla.redhat.com/show_bug.cgi?id=1062925 > - disable old ciphers, like the 3DES based ones. Yeah... IMHO the preferred algo defaults (with respect to security, not interoperability with old systems) should be (as of version 6.7): HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com with HostKeyAlgorithms of course only for ssh_config,... and one might want to remove all nist curves, since they're... questionable. > I understand that there is nothing sure and final, but most of these recommendations > seem like a good idea from a security point of view, and won't break compatibility > except with some very old (and maybe insecure) clients. Unfortunately Debian usually rather goes the way less secure for everyone, just to please some oldish systems whose admins haven't done their homework, > For such compatibility > issues, a warning might be provided with an explanation how to re-enable them, > or a way to enable a "hardened" configuration. I've recently created hardened versions for sshd_config and ssh_config... I could publish them here, but I doubt that this would be merged. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature