Home           RSS           Search

September 10, 2013





Secure OpenSSH Config Reference



OpenSSH is a set of utilities to allow you to connect to a remote machine through an encrypted tunnel. You can use it as a terminal connection or to tunnel any data through a VPN interface.

OpenSSH is a FREE version of the SSH suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.OpenSSH FAQ

Most operating systems come with one version or another of OpenSSH. You may want to make sure you have the latest version on your machine. Check the OpenSSH site for the latest source code. You can also look to the package maintainers of your OS revision to see if they make a premade package for you to install. The directives and options listing in the following config files apply to the latest official OpenSSH release.

SECURITY NOTE: Notice that we have specified the "Ciphers" for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH. AES is the strongest encryption available in openssl and all others are too weak to trust. We are also specifying the "MACs" or Hash-based Message Authentication Code to use. Again, we want the strongest security model available.



Client side ssh config options (/etc/ssh/ssh_config)

This config is for the client side options. You can specify directives here and the client will negotiate them with the server. Only if the server allows them will they will take effect.

#######################################################
###  Calomel.org  CLIENT  /etc/ssh/ssh_config
#######################################################
Host *
 AddressFamily inet
 CheckHostIP yes
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 Compression no
 ConnectionAttempts 1
 ConnectTimeout 10
 ControlMaster auto
 ControlPath ~/.ssh/master-%r@%h:%p
 EscapeChar ~
 ForwardAgent no
 ForwardX11 no
 ForwardX11Trusted no
 HashKnownHosts yes
 IdentityFile ~/.ssh/identity
 IdentityFile ~/.ssh/id_rsa
 IdentityFile ~/.ssh/id_dsa
 IdentityFile ~/.ssh/id_ecdsa
 IdentitiesOnly yes
 MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
 PermitLocalCommand no
 Port 22
 Protocol 2
 RekeyLimit 1G
 ServerAliveInterval 15
 ServerAliveCountMax 3
 StrictHostKeyChecking ask
 TCPKeepAlive no
 Tunnel no
 TunnelDevice any:any
 VisualHostKey no
#######################################################
###  Calomel.org  CLIENT  /etc/ssh/ssh_config
#######################################################





Need help setting up a chrooted sftp server? Check out our Chroot'd SFTP server "how to".





Server side sshd config options (/etc/ssh/sshd_config)

These directives are for sshd. Permissions should be "chmod 755". We want to restrict access with the following options to better protect the server.

#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################
#
Port 22
Protocol 2
AddressFamily inet
#ListenAddress 127.0.0.1

#See the questions section for setting up the gatekeeper
#ForceCommand /tools/ssh_gatekeeper.sh 

AllowUsers calomel@10.10.10.3 calomel@192.168.*
AllowGroups calomel

AllowTcpForwarding yes
#AuthorizedKeysFile .ssh/authorized_keys (need to be be commented for OpenSSH 5.4)
Banner /etc/banner
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
ClientAliveInterval 15
ClientAliveCountMax 3
Compression yes
GatewayPorts no
LogLevel VERBOSE
LoginGraceTime 50s
MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1
MaxAuthTries 6
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
#PermitOpen localhost:80
PermitRootLogin no
PermitUserEnvironment no
PidFile /var/run/sshd.pid
PrintLastLog yes
PrintMotd no
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
SyslogFacility AUTH
TCPKeepAlive no
UseDNS no
UseLogin no
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no
X11UseLocalhost yes

#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
#
#######################################################
###  Calomel.org  SERVER  /etc/ssh/sshd_config
#######################################################



For more information about OpenBSD's Pf firewall and HFSC quality of service options check out our PF Config (pf.conf) and PF quality of service HFSC "how to's".





Questions?



Do you have a multi authentication script for OpenSSH ?

Yes we do. Please take a look at our OpenSSH GateKeeper (ssh_gatekeeper.sh) script. You can add a layer of authentication on top of what OpenSSH already provides to drastically increase security.



Do you have any distributed scp and ssh shell scripts ?

Indeed. Take a look at our OpenSSH Distributed SSH shell script. The scripts will allow you to easily automate ssh commands to many ssh machines.



How can I setup a reverse SSH connection?

A reverse ssh connection will allow you to use an existing ssh connection from work, through their restrictive firewall (port 443 is open), to your machine at home. Then you can initiate a reverse ssh connection from your home machine, back through the established ssh tunnel to your work machine. This is what we are tying to accomplish:

Initial Tunnel: 1.1.1.1:443  --> NAT FIREWALL --> 2.2.2.2:443 [localhost:12345]
                 (work)                             (home) 
Reverse SSH:    localhost:22 <--  SSH TUNNEL  <-- localhost:12345         

Lets say work only allows port 80 (http) and port 443 (https) out through the firewall. Since ssh and https are both encrypted no one should notice ssh traffic going out the https port on the firewall.

First, you need to execute the following on your work machine. It will setup a ssh tunnel to your home machine (sshd at home is listening on port 443) going out port 443 (hidden on the https port). On your home machine, port 12345 on localhost will the the end of the tunnel that starts on your machine at work.

calomel@WORK: ssh -R 12345:localhost:22 usernamer@2.2.2.2

Now, on your home machine you can use the ssh tunnel you just setup to ssh back though to the target machine at work.

calomel@HOME: ssh localhost -p 12345

Anyone with access to the home machine can now access the work machine through the tunnel. To keep the tunnel active you can run "top" on the home machine. Just imagine the security implications and how difficult a reverse tunnel would be to stop if you are the admin of the work machine.



Using OpenSSL to encrypt and decrypt files

Instead of using a special program to encrypt and decrypt files, like password or financial data, you can just use OpenSSL. You can pass any file into OpenSSL and using a password as a key you can encrypt it. The best part is that any OS, be it Linux OpenBSD, NetBSD, MacOSX or even windows and use this method as long as OpenSSL is installed. For example, we have some random file called "calomel". Use the following commands to encrypt and then decrypt this file.

to encrypt (-e):
 openssl aes-256-cbc -a -e -salt -in calomel -out calomel.aes

to decrypt (-d):
 openssl aes-256-cbc -a -d -salt -in calomel.aes -out calomel





Questions, comments, or suggestions? Contact Calomel.org or