An even more secure SSH

First post of 2012, so let's start off with a "Happy New Year!" to everyone.
On an even happier note, I just got word that I passed all my exams. :-)

Now the real topic of this post is SSH, more specifically how to make your SSH connections even more secure than they already are. OpenSSH by default prefers slightly less strong cryptographic algorithms (like AES128 is preferred to AES256), and for its HMAC it still prefers MD5-based HMACs, which, while still kinda secure, are clearly less secure than the SHA2-512 based ones, for which OpenSSH added support in the 5.9 release.
Assuming you're running OpenSSH >=5.9 everywhere, like in my setup, configure your sshd's as following, so that they will only offer the most secure known algorithms in their strongest variants first. This will also only offer SSH protocol 2, as well as set some other miscellaneous login-related settings and make the server check periodically that clients are alive, and if not, terminate the connection.

Protocol 2
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 5
ClientAliveCountMax 3
ClientAliveInterval 5
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256

Configure your SSH client as follows to only connect to sshd's using secure algorithms, again trying the strongest first. This also enables SSH protocol 2 only, periodically checks that the server is alive (especially useful with sshfs and its '-o reconnect' flag, when working over unstable links like wireless). It further lowers the amount of data needed for a rekey, default would usually be between 1G and 4G.
Note that I had to split up some lines for better readability on the blog, you can notice those by the increased indentation, just always make sure everything is on one line!

Host *
  Protocol 2
  ServerAliveCountMax 2
  ServerAliveInterval 4
  Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,aes256-cbc
  KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,
  MACs hmac-sha2-512,hmac-sha2-256,hmac-md5,hmac-sha1
  RekeyLimit 512M

Given both the server and client running OpenSSH >=5.9 and being configured correctly, you get an SSH connection using AES256-CTR as cipher, exchanging keys using ECDH-SHA2-NISTP521, and using HMAC-SHA2-512 for integrity checking. Basically AES-256 and SHA2-512 everywhere, which, as far as I know, are state-of-the-art in their respective application domains and still considered very secure.
Hope this helps increasing security, as well as reliability (the Alive options especially with sshfs).

Posted by Luca Longinotti on 16 Feb 2012 at 15:00
Categories: Longi, Gentoo, Software Comments

blog comments powered by Disqus