Wednesday, May 26, 2010

Secure OpenSSH Config Reference

OpenSSH is a set of utilities to allow you to connect to a remote machine through an encrypted tunnel. You can use it as a terminal connection or to tunnel any data through a VPN interface.
OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.OpenSSH FAQ
Most operating systems come with one version or another of OpenSSH. You may want to make sure you have the latest version on your machine. Check the OpenSSH site for the latest source code. You can also look to the package maintainers of your OS revision to see if they make a premade package for you to install. The directives and options listing in the following config files apply to the latest official OpenSSH release.
SECURITY NOTE: Notice that we have specified the "Ciphers" for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH. AES is the strongest encryption available in openssl and all others are too weak to trust. We are also specifying the "MACs" or Hash-based Message Authentication Code to use. Again, we want the strongest security model available.


Client side ssh config options (/etc/ssh/ssh_config)

This config is for the client side options. You can specify directives here and the client will negotiate them with the server. Only if the server allows them will they will take effect. 
#######################################################
###  Calomel.org  CLIENT  /etc/ssh/ssh_config
#######################################################
Host *
 AddressFamily inet
 CheckHostIP yes
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 Compression no
 ConnectionAttempts 1
 ConnectTimeout 10
 ControlMaster auto
 ControlPath ~/.ssh/master-%r@%h:%p
 EscapeChar ~
 ForwardAgent no
 ForwardX11 no
 ForwardX11Trusted no
 HashKnownHosts yes
 IdentityFile ~/.ssh/identity
 IdentityFile ~/.ssh/id_rsa
 IdentityFile ~/.ssh/id_dsa
 IdentitiesOnly yes
 MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
 PermitLocalCommand no
 Port 22
 Protocol 2
 RekeyLimit 1G
 ServerAliveInterval 15
 ServerAliveCountMax 3
 StrictHostKeyChecking ask
 TCPKeepAlive no
 Tunnel no
 TunnelDevice any:any
 VisualHostKey no
#######################################################
###  Calomel.org  CLIENT  /etc/ssh/ssh_config
#######################################################




Need help setting up a chrooted sftp server? Check out our Chroot'd SFTP server "how to".




Server side sshd config options (/etc/ssh/sshd_config)

These directives are for sshd. Permissions should be "chmod 755". We want to restrict access with the following options to better protect the server. 
#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1

#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh 

AllowUsers calomel@10.10.10.3 calomel@192.168.*
AllowGroups calomel

AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes

#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
#
#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################


For more information about OpenBSD's Pf firewall and HFSC quality of service options check out our PF Config (pf.conf) and PF quality of service HFSC "how to's".
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)