Closed pikrzysztof closed 4 years ago
Thanks for the feedback.
Could you please post your entire sshd_config file?
Also, what OS are you using?
On 3/30/20 5:41 PM, pikrzysztof wrote:
This is what's in my sshd config:
root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 what the program does?
|[root@d213856bed13 /]# ssh-audit -p 2022 example.com # # general (gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 (gen) software: OpenSSH 7.6p1 [exception] error reading packet (empty) |
minimal working example, the program gives the same output:
|root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com |
Commenting out HostKeyAlgorithms makes the program run fine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jtesta/ssh-audit/issues/22, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYA67OSJULWDDIGLLZFHDRKEG2JANCNFSM4LXAOHYA.
-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security
SSH server is running on Ubuntu 18.04.4 LTS (Bionic Beaver)
, it's an openssh-server
version 1:7.6p1-4ubuntu0.3.
here's the config, I'm connecting from behind the firewall (public internet) so the last rule applies.
Port 22
Port 2022
AddressFamily inet # IPv4 only
ListenAddress 0.0.0.0 # all interfaces
Protocol 2
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,curve25519-sha256
LoginGraceTime 60
# https://unix.stackexchange.com/questions/26170/sshd-config-maxsessions-parameter
MaxSessions 100
MaxStartups 500:10:1000
# Host keys and certificates for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostKey /etc/ssh/ssh_host_dsa_key
HostCertificate /etc/ssh/ssh_host_dsa_key-cert.pub
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
UsePrivilegeSeparation yes
UseDns no
GatewayPorts yes
SyslogFacility AUTH
LogLevel INFO
StrictModes no
PermitRootLogin without-password
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 %h/.ssh/authorized_keys.gbadmin-lite
AllowAgentForwarding no
AllowTcpForwarding yes
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
AcceptEnv LANG
AcceptEnv LC_*
AcceptEnv PGAPPNAME
AcceptEnv LC_GAMBIT*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
# Very limited access from outside our network, to force us to use ssh tunelled over ssh
# for access to systems beyond the bastion, rather than less secure options such as ssh
# agent forwarding or uploading private keys.
Match Address *,!10.122.0.0/16,!127.0.0.1/32
AllowGroups extssh
AllowAgentForwarding no
PermitRootLogin no
PermitTTY no
ForceCommand /usr/local/bin/external-ssh-connection
Sorry for the late response. I took a closer look at your configuration, and found the problem: the HostKeyAlgorithms
directive only specifies ssh-ed25519
and ssh-ed25519-cert-v01@openssh.com
, but your HostKey
directives don't add an ED25519 key. Hence, your server doesn't have any host key to offer during the connection setup.
The solution is to add a HostKey
directive with the path of an ED25519 key.
FYI, I also noticed that your config doesn't following the hardening guide exactly. The KexAlgorithms
list was modified, and no Ciphers
nor MACs
directives are included. This wouldn't prevent clients from connecting, however... it would just result in some weaker options being available.
Oh, that's right, sorry for raising a bogus issue. Thank you for having a look at this.
This is what's in my sshd config, I've taken the values from the value taken from https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_lts :
what the program does?
where's the server says:
minimal working example, the program gives the same output:
Commenting out HostKeyAlgorithms makes the program run fine.
This is a fresh
pip install
in aarchlinux:latest
docker container.