Closed jugmac00 closed 3 years ago
jtesta
commented
4 years ago I tried to google about client hardening, but almost all information out there is about server hardening.
Well, there's my blog post on this topic: https://www.positronsecurity.com/blog/2020-01-07-ssh-client-auditing-and-hardening/
Any hint for me what to do?
I suppose I don't understand what the problem is. Did my hardening guide not result in all green output?
jugmac00
commented
4 years ago I suppose I don't understand what the problem is. Did my hardening guide not result in all green output?
Yes, that is the problem.
I followed your instruction by echoing your recommendations into my ~/.ssh/config file.
Then I started the client audit mode.. (Python 3.8 - and latest commit from your dev branch)
When I ssh into localhost -p 22222 in a second terminal, I get this output in the first terminal (where I started the client audit )...
I know your blog article, but it also did not solve my problem. I tried to look for other information on how the config file has to be structured so I could get a hint where the problem is, but I did not find any info out there.
As I assume your hardening information are correct (as you tried them), I can only guess my config file does not get used or there is a syntax error inside so some information get ignored. Or maybe there is a os-wide setting which weighs heigher?
On the other hand, my ~/.ssh/config file works - as I use the jump hosts for my work.
So I am left clueless at the moment.
jugmac00
commented
4 years ago Ok. I figured it out.
The cipher (et al) config has to be put on the top of the ssh-config file - otherwise it seems it gets ignored.
This is the reason I tried to find information about how the structure of a client config file has to look.
Damn you SSH for not throwing an error :-)
Maybe it is possible that you update your hardening guides?
I guess I am not the only one with some basic ssh config.
jugmac00
commented
4 years ago I guess I figured it out.
In man 5 ssh_config you can read
Host Restricts the following declarations (up to the next Host or Match keyword) to be only for those hosts that match one of the patterns given after the keyword.
Yep. So I configured some hosts - then I echoed your configurations into my config file and thus the hardening infos only apply to my last configured host oO
jtesta
commented
4 years ago Oh ok. Yes, I suppose I do need to update the guides so they put the options at the top of the config file.
sleepnmojo
commented
4 years ago The guide just needs to add "Host *\n" before "Ciphers". The current guide just adds the values to the last host.
If you put it at the top of the file, that will become the default for all hosts. If you need to override any of the values, then those hosts would need to go above the defaults.
MestreLion
commented
4 years ago @sleepnmojo : so you suggest that the best solution is to add Host *\n at the beginning of the block but keep the block itself at the end of the file?
sleepnmojo
commented
4 years ago @MestreLion correct
People would need to understand if they put Ciphers, KexAlgorithms, MACs, or HostKeyAlgorithms in any Host above, then that value will be used for that Host. This is true for the topmost Host * as well.
Example:
# This host will use the defaults in the first Host *
Host tank
HostName 192.168.0.5
Port 2222
User user1
# Override MACs for an old system
Host www
HostName www.example.com
MACs hmac-sha2-256
# user defaults
Host *
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com
# preferred order for my system, will be ignored
Host *
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512Ok, just did this (using the Host * trick), and the local audit (installing from pip) gives me all green.
But... https://www.sshaudit.com/ Client Audit gives me C- 70/100. Looking at the results, i see this in "Host Key Types": ssh-rsa-cert-v01@openssh.com SHA-1 has exploitable weaknesses. Score capped at 70.
Problem is: rsa-cert-v01@openssh.com is indeed included in HostKeyAlgorithms from the Hardening Guide for Ubuntu 18.14. Why is the guide suggesting a SHA-1 algo that is considered by its own website to be exploitable/weak?
Furthermore: if the website complains about this, why doesn't the local tool installed from pip?
jtesta
commented
3 years ago @jugmac00 @MestreLion I fixed the hardening guides months ago, but forgot to update you about it. Please let me know if you notice any other problems!
@sleepnmojo Thanks for the suggestion! I've updated the hardening guides with them.
jugmac00
commented
3 years ago @jtesta Thanks a lot. Works like a charm. Thanks for updating the guide!
Hi @jtesta
I just discovered the client hardening mode.
I run Ubuntu 18.04 on my laptop.
I applied the changes from your hardening guide
https://www.ssh-audit.com/hardening_guides.html#ubuntu_18_04_linux_mint_19
and then I started the client audit via
python3.8 ssh-audit.py -cand then on a second terminal, I sshed into localhost port 2222.Expected I expected all output to be green.
what I got
My ssh config contains some jumphost configurtations, and then on the bottom your suggested changes which I echoed into the file.
I tried to google about client hardening, but almost all information out there is about server hardening.
Any hint for me what to do?
Thanks!