securing sshd on Arch

MS1 · 2019-01-01 15:29:54

Has anyone read this article about modifying /etc/ssh/moduli to make it hardened? Since it is from 2015 is the advice there even relevant?

Trilby · 2019-01-01 15:40:26

It's trivially easy to check and see. Do you have *any* lines in /etc/ssh/moduli where column 5 is less than 2000?

EDIT: I see that guide is linked to from our wiki. However our wiki page on openSSH has changed drastically since I last read it - and while I'm far from an expert, some of the current advice seems ... well, horrific. Suggesting one should allow remote root login under a section called "protection" is just absurd.

Last edited by Trilby (2019-01-01 15:51:08)

jasonwryan · 2019-01-01 18:17:07

Trilby wrote:

Suggesting one should allow remote root login under a section called "protection" is just absurd.

Can you link/quote the specific recommendation? I couldn't find it and I would obviously like to remove it.

Trilby · 2019-01-01 18:32:41

Oops! Sorry, I must have misread this sentence:

Allowing remote log-on through SSH is good for administrative purposes...

Somehow I read that as "allowing root log-on ...". As is the sentence is not so problematic, but a bit pointless in my view. The whole page is about remote log-on through SSH, so it's a given if one is following that page that they are allowing some sort of remote log-on. Although I also misinterpreted the headers - "Force public key authentication" is a subheader under "Protection". Unfortunately they looked like similar levels, so the tiny "protection" section seemed overall a bit odd to me (not the case when I realize that's just an introductory blurb for all the subheadings).

That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.

Last edited by Trilby (2019-01-01 19:20:38)

ngoonee · 2019-01-01 18:55:52

Trilby wrote:

That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.

Links to old blog entries anywhere are really odd for a wiki (obvious exceptions being to statements from a piece of software's author etc.) really.

jasonwryan · 2019-01-01 20:22:45

ngoonee wrote:

Trilby wrote:
That said, having a link at the start of that section to a pretty old blog entry, some of which no longer applies, seems odd.
Links to old blog entries anywhere are really odd for a wiki (obvious exceptions being to statements from a piece of software's author etc.) really.

Agree. People that write blogs are idiots.

Alad · 2019-01-01 21:52:58

jasonwryan wrote:

Agree. People that write blogs are idiots.

http://jasonwryan.com/blog/categories/archlinux/

jasonwryan · 2019-01-01 22:41:55

Alad wrote:

jasonwryan wrote:
Agree. People that write blogs are idiots.
http://jasonwryan.com/blog/categories/archlinux/

QED.

/dev/zero · 2019-01-02 01:07:30

MS1 wrote:

Has anyone read this article about modifying /etc/ssh/moduli to make it hardened? Since it is from 2015 is the advice there even relevant?

Yeah, I explicitly set the permitted Kex, hostkey, MACs and ciphers in ssh_config and sshd_config.

They do need to be overridden for some older hardware or servers.

None of my moduli on a recent install have a fifth column with any entries smaller than 2000. Maybe the (arbitrary) 2000 constraint should be lifted these days, but I'm not sure.

You might be interested in having a look at ssh-audit too.

Arch Linux

#1 2019-01-01 15:29:54

securing sshd on Arch

#2 2019-01-01 15:40:26

Re: securing sshd on Arch

#3 2019-01-01 18:17:07

Re: securing sshd on Arch

#4 2019-01-01 18:32:41

Re: securing sshd on Arch

#5 2019-01-01 18:55:52

Re: securing sshd on Arch

#6 2019-01-01 20:22:45

Re: securing sshd on Arch

#7 2019-01-01 21:52:58

Re: securing sshd on Arch

#8 2019-01-01 22:41:55

Re: securing sshd on Arch

#9 2019-01-02 01:07:30

Re: securing sshd on Arch

Board footer