config taken from the hardening guide crashes auditing software

[pikrzysztof]

This is what's in my sshd config, I've taken the values from the value taken from https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_lts :

root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com

what the program does?

[root@d213856bed13 /]# ssh-audit -p 2022 example.com #
# general
(gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
(gen) software: OpenSSH 7.6p1

[exception] error reading packet (empty)

where's the server says:

Mar 30 21:44:01 hex-bastion2 sshd[10221]: rexec line 29: Deprecated option UsePrivilegeSeparation
Mar 30 21:44:01 hex-bastion2 sshd[10221]: rexec line 60: Deprecated option UseLogin
Mar 30 21:44:01 hex-bastion2 sshd[10221]: fatal: No supported key exchange algorithms [preauth]

minimal working example, the program gives the same output:

root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com

Commenting out HostKeyAlgorithms makes the program run fine.

This is a fresh pip install in a archlinux:latest docker container.

[jtesta]

Thanks for the feedback.

Could you please post your entire sshd_config file?

Also, what OS are you using?

On 3/30/20 5:41 PM, pikrzysztof wrote:

This is what's in my sshd config:

root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

what the program does?

|[root@d213856bed13 /]# ssh-audit -p 2022 example.com # # general (gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 (gen) software: OpenSSH 7.6p1 [exception] error reading packet (empty) |

minimal working example, the program gives the same output:

|root@hex-bastion2:/etc/ssh# grep -i Hostkey sshd_config HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com |

Commenting out HostKeyAlgorithms makes the program run fine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jtesta/ssh-audit/issues/22, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYA67OSJULWDDIGLLZFHDRKEG2JANCNFSM4LXAOHYA.

-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security

[pikrzysztof]

SSH server is running on Ubuntu 18.04.4 LTS (Bionic Beaver), it's an openssh-server version 1:7.6p1-4ubuntu0.3.

here's the config, I'm connecting from behind the firewall (public internet) so the last rule applies.

Port 22
Port 2022

AddressFamily inet    # IPv4 only
ListenAddress 0.0.0.0 # all interfaces
Protocol 2

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,curve25519-sha256

LoginGraceTime 60
# https://unix.stackexchange.com/questions/26170/sshd-config-maxsessions-parameter
MaxSessions 100
MaxStartups 500:10:1000

# Host keys and certificates for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostKey /etc/ssh/ssh_host_dsa_key
HostCertificate /etc/ssh/ssh_host_dsa_key-cert.pub
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
UsePrivilegeSeparation yes

UseDns no
GatewayPorts yes

SyslogFacility AUTH
LogLevel INFO

StrictModes no

PermitRootLogin without-password
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 %h/.ssh/authorized_keys.gbadmin-lite

AllowAgentForwarding no
AllowTcpForwarding yes

X11Forwarding no

PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no

AcceptEnv LANG
AcceptEnv LC_*
AcceptEnv PGAPPNAME
AcceptEnv LC_GAMBIT*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

# Very limited access from outside our network, to force us to use ssh tunelled over ssh
# for access to systems beyond the bastion, rather than less secure options such as ssh
# agent forwarding or uploading private keys.
Match Address *,!10.122.0.0/16,!127.0.0.1/32
    AllowGroups extssh
    AllowAgentForwarding no
    PermitRootLogin no
    PermitTTY no
    ForceCommand /usr/local/bin/external-ssh-connection

[jtesta]

Sorry for the late response. I took a closer look at your configuration, and found the problem: the HostKeyAlgorithms directive only specifies ssh-ed25519 and ssh-ed25519-cert-v01@openssh.com, but your HostKey directives don't add an ED25519 key. Hence, your server doesn't have any host key to offer during the connection setup.

The solution is to add a HostKey directive with the path of an ED25519 key.

FYI, I also noticed that your config doesn't following the hardening guide exactly. The KexAlgorithms list was modified, and no Ciphers nor MACs directives are included. This wouldn't prevent clients from connecting, however... it would just result in some weaker options being available.

[pikrzysztof]

Oh, that's right, sorry for raising a bogus issue. Thank you for having a look at this.