You are not logged in.

#1 2019-01-01 15:29:54

MS1
Member
Registered: 2018-02-02
Posts: 20

securing sshd on Arch

Has anyone read this article about modifying /etc/ssh/moduli to make it hardened?  Since it is from 2015 is the advice there even relevant?

Offline

#2 2019-01-01 15:40:26

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,770
Website

Re: securing sshd on Arch

It's trivially easy to check and see.  Do you have *any* lines in /etc/ssh/moduli where column 5 is less than 2000?

EDIT: I see that guide is linked to from our wiki.  However our wiki page on openSSH has changed drastically since I last read it - and while I'm far from an expert, some of the current advice seems ... well, horrific.  Suggesting one should allow remote root login under a section called "protection" is just absurd.

Last edited by Trilby (2019-01-01 15:51:08)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2019-01-01 18:17:07

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 26,520
Website

Re: securing sshd on Arch

Trilby wrote:

Suggesting one should allow remote root login under a section called "protection" is just absurd.

Can you link/quote the specific recommendation? I couldn't find it and I would obviously like to remove it.


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Online

#4 2019-01-01 18:32:41

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,770
Website

Re: securing sshd on Arch

Oops!  Sorry, I must have misread this sentence:

Allowing remote log-on through SSH is good for administrative purposes...

Somehow I read that as "allowing root log-on ...".  As is the sentence is not so problematic, but a bit pointless in my view.  The whole page is about remote log-on through SSH, so it's a given if one is following that page that they are allowing some sort of remote log-on.  Although I also misinterpreted the headers - "Force public key authentication" is a subheader under "Protection".  Unfortunately they looked like similar levels, so the tiny "protection" section seemed overall a bit odd to me (not the case when I realize that's just an introductory blurb for all the subheadings).

That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.

Last edited by Trilby (2019-01-01 19:20:38)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2019-01-01 18:55:52

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,203

Re: securing sshd on Arch

Trilby wrote:

That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.

Links to old blog entries anywhere are really odd for a wiki (obvious exceptions being to statements from a piece of software's author etc.) really.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#6 2019-01-01 20:22:45

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 26,520
Website

Re: securing sshd on Arch

ngoonee wrote:
Trilby wrote:

That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.

Links to old blog entries anywhere are really odd for a wiki (obvious exceptions being to statements from a piece of software's author etc.) really.

Agree. People that write blogs are idiots.


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Online

#7 2019-01-01 21:52:58

Alad
Wiki Admin/IRC Op/TU
From: Bagelstan
Registered: 2014-05-04
Posts: 1,890
Website

Re: securing sshd on Arch

jasonwryan wrote:

Agree. People that write blogs are idiots.

http://jasonwryan.com/blog/categories/archlinux/

big_smile


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Honest Alad's Package Emporium—Now with added bugs! (Grand reopening: December 1st 2018)

Offline

#8 2019-01-01 22:41:55

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 26,520
Website

Re: securing sshd on Arch

Alad wrote:
jasonwryan wrote:

Agree. People that write blogs are idiots.

http://jasonwryan.com/blog/categories/archlinux/

big_smile

QED.


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Online

#9 2019-01-02 01:07:30

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,226
Website

Re: securing sshd on Arch

MS1 wrote:

Has anyone read this article about modifying /etc/ssh/moduli to make it hardened?  Since it is from 2015 is the advice there even relevant?

Yeah, I explicitly set the permitted Kex, hostkey, MACs and ciphers in ssh_config and sshd_config.

They do need to be overridden for some older hardware or servers.

None of my moduli on a recent install have a fifth column with any entries smaller than 2000. Maybe the (arbitrary) 2000 constraint should be lifted these days, but I'm not sure.

You might be interested in having a look at ssh-audit too.

Offline

Board footer

Powered by FluxBB