SSHDCC Release

Tool Update / New Release: SSHDCC 0.3 of the OpenSSH Security Configuration Checker

About

SSHDCC can check your OpenSSH server configuration file for security improvements. The check can be performed either on a live linux/BSD/MacOS machine or on a remote machine via SSH/SCP.

Compatibility

SSHDCC can check OpenSSH config files from version 7.6 (2018) (and probably earlier) up to version 10.0 (2025) (and likely later versions).

What's new in 0.3?

  • new and updated checks for openssh 10.0

  • internal rewrite and numerous updated checks and fixes

Example run

$ curl -o sshdcc-0.3.tar.gz https://codeload.github.com/sektioneins/sshdcc/tar.gz/refs/tags/v0.3
$ tar zxvf sshdcc-0.3.tar.gz
...
$ cd sshdcc-0.3
$ ./sshdcc -dc0
------------------------------------------------------------------------------
OpenSSHd Security Config Checker v0.3.0
  (c) 2018-2025 SektionEins GmbH / Ben Fuhrmannek - https://sektioneins.de/
  https://github.com/sektioneins/sshdcc
running on Darwin 24.6.0 arm64 with Tcl 9.0 with TTY
started at 2025-08-26 13:21:53
------------------------------------------------------------------------------
additional live system checks are enabled
loading defaults from command 'sudo sshd -f /dev/null -T'
Password:
scanning file /etc/ssh/sshd_config

## RESULTS ##

(1) [WARNING] login via any authentication method is allowed
    #> SYSTEM DEFAULT: authenticationmethods any
    It is usually a good idea to restrict authentication methods to those
    actually required, e.g. 'publickey'. Please change this setting.

(2) [WARNING] Required RSA key size is rather weak
    #> SYSTEM DEFAULT: requiredrsasize 1024
    While 1024 may be the default, enforcing at least 3072 bits for RSA keys is
    highly recommended.

(3) [NOTICE] using default cipher list
    #> SYSTEM DEFAULT: ciphers
    chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    Depending on the version, SSH's default cipher list may contain really old
    ciphers, likely for compatibility with older versions. Try 'ssh -Q cipher'
    and choose current and secure ciphers as suitable.

(4) [NOTICE] login via password is allowed
    #> SYSTEM DEFAULT: passwordauthentication yes
    Public key based authentication methods are considered much more secure.
    Unless your configuration contains some kind of one-time-password, e.g. via
    PAM, this setting should be changed to 'no'.

(5) [NOTICE] extra environment variable accepted by pattern: LANG
    #> /etc/ssh/sshd_config.d/100-macos.conf LINE 3: AcceptEnv LANG
    LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(6) [NOTICE] extra environment variable accepted by pattern: LC_*
    #> /etc/ssh/sshd_config.d/100-macos.conf LINE 3: AcceptEnv LANG
    LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(7) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostkeyalgorithms
    ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(8) [INFO] using default list of key exchange algorithms
    #> SYSTEM DEFAULT: kexalgorithms
    sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    The default may be perfectly fine for you. Otherwise, please check 'ssh -Q
    kex' for a list of available algorithms.

(9) [INFO] using default list of MAC algorithms
    #> SYSTEM DEFAULT: macs
    umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    This is most likely ok. Check out 'ssh -Q mac' for a list of available
    algorithms to choose from.

(10) [INFO] user rc is enabled
    #> SYSTEM DEFAULT: permituserrc yes
    This is the default, but it may be a security risk in a restricted
    environment, e.g. without user shell access.

done.

Download

The full source code is available on Github.