From 64359e2eed2a126dd8732cfb8738a5e28cb3dcad Mon Sep 17 00:00:00 2001 From: Adar Nimrod <nimrod@shore.co.il> Date: Fri, 12 Mar 2021 21:36:46 +0200 Subject: [PATCH] SSH security. - Replace the RSA key for GitHub with an ed25519 one. - Refactor the security configuration in 99_default. Make them easier to maintain by sepcifying what *not* to use. - In the OpenSSH 8.5 release notes it is mentioned that the ssh-rsa signature scheme will be deperecated. Be proactive and disable it. - Replace the RSA key for *.shore.co.il with a ed25519 one (keep to the ecdsa so as not to just a single key). Keep it for ea6350, Dropbear in OpenWRT 19.07 doesn't support other key types. --- .ssh/config.d/20_github | 2 +- .ssh/config.d/20_shore | 5 +++-- .ssh/config.d/99_default | 18 ++++++++++++------ 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.ssh/config.d/20_github b/.ssh/config.d/20_github index 3b5a103..eb0b6b7 100644 --- a/.ssh/config.d/20_github +++ b/.ssh/config.d/20_github @@ -4,4 +4,4 @@ Host github.com User git -IdentityFile ~/Documents/github_rsa +IdentityFile ~/Documents/github_ed25519 diff --git a/.ssh/config.d/20_shore b/.ssh/config.d/20_shore index a858be5..7850ad3 100644 --- a/.ssh/config.d/20_shore +++ b/.ssh/config.d/20_shore @@ -9,13 +9,14 @@ Host host01.shore.co.il ns4.shore.co.il LocalForward 9090 localhost:9090 Host ea6350.shore.co.il +IdentityFile ~/Documents/Shore/shore_rsa User root LocalForward 8080 localhost:80 Host git.shore.co.il +IdentityFile ~/Documents/Shore/gitlab_ed25519 HostName host01.shore.co.il Port 2222 -IdentityFile ~/Documents/Shore/gitlab_ed25519 Host cgit.shore.co.il HostName host01.shore.co.il @@ -26,5 +27,5 @@ Port 2222 Host *.shore.co.il 192.168.3.* IdentityFile ~/Documents/Shore/shore_ecdsa -IdentityFile ~/Documents/Shore/shore_rsa +IdentityFile ~/Documents/Shore/shore_ed25519 User nimrod diff --git a/.ssh/config.d/99_default b/.ssh/config.d/99_default index 99e71b6..951ba8a 100644 --- a/.ssh/config.d/99_default +++ b/.ssh/config.d/99_default @@ -1,8 +1,14 @@ # vim:ft=sshconfig -# Copied from -# https://wiki.mozilla.org/Security/Guidelines/OpenSSH?source=techstories.org#Modern -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +# Based on: +# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern +# but instead of specifying what to use (more maintenance especially with +# different OSes and releases), specify what not to use. The baseline is +# ElementaryOS Hera, aka Ubuntu Bionic. +# http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html +Ciphers -aes128-cbc,aes192-cbc,aes256-cbc +HostbasedKeyTypes -ssh-rsa,ssh-rsa-cert-v01@openssh.com +HostKeyAlgorithms -ssh-rsa,ssh-rsa-cert-v01@openssh.com +KexAlgorithms -diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 +MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1 +PubkeyAcceptedKeyTypes -ssh-rsa-cert-v01@openssh.com,ssh-rsa -- GitLab