Tool: OpenSSHd Security Configuration Checker

Ben Fuhrmannek

2018-07-03 15:51

Tool: Check your SSHd configuration for security flaws

For years one of our services for customers has been to check the security of their server's configuration. This task can in part be automated, so this is what we came up with:

./sshdcc -dc 'sudo sshd -f /dev/null -T'
------------------------------------------------------------------------------
This is OpenSSHd Security Config Checker 0.1
  - (c) 2018 SektionEins GmbH / Ben Fuhrmannek - https://sektioneins.de/
  - download -> https://github.com/sektioneins/sshdcc
running on Darwin 17.6.0 x86_64 with Tcl 8.6 with TTY
started at 2018-07-03 13:54:50
------------------------------------------------------------------------------
additional live system checks are enabled
loading defaults from command sudo sshd -f /dev/null -T
Password: <enter your password for sudo here>
scanning file /etc/ssh/sshd_config

## RESULTS ##

(1) [WARNING] login via any authentication method is allowed
    #> SYSTEM DEFAULT: authenticationmethods any
    It is usually a good idea to restrict authentication methods to those
    actually required, e.g. 'publickey'. Please change this setting.

(2) [NOTICE] using default cipher list
    #> SYSTEM DEFAULT: ciphers
    chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    Depending on the version, SSH's default cipher list may contain really old
    ciphers, likely for compatibility with older versions. Try 'ssh -Q cipher'
    and choose current and secure ciphers as suitable.

(3) [NOTICE] login via password is allowed
    #> SYSTEM DEFAULT: passwordauthentication yes
    Public key based authentication methods are considered much more secure.
    Unless your configuration contains some kind of one-time-password, e.g. via
    PAM, this setting should be changed to 'no'.

(4) [NOTICE] extra environment variable accepted by pattern: LANG
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(5) [NOTICE] extra environment variable accepted by pattern: LC_*
    #> LINE 108: AcceptEnv LANG LC_*
    The default is not to accept any environment variables. Please make sure,
    that this variable pattern is actually required.

(6) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: pubkeyacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(7) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostkeyalgorithms
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(8) [INFO] using default list of algorithms
    #> SYSTEM DEFAULT: hostbasedacceptedkeytypes
    ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    The default is most likely suitable. Otherwise, please check 'ssh -Q key'
    for a list of available algorithms.

(9) [INFO] using default list of key exchange algorithms
    #> SYSTEM DEFAULT: kexalgorithms
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
    The default may be perfectly fine for you. Otherwise, please check 'ssh -Q
    kex' for a list of available algorithms.

(10) [INFO] using default list of MAC algorithms
    #> SYSTEM DEFAULT: macs
    umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    This is most likely ok. Check out 'ssh -Q mac' for a list of available
    algorithms to choose from.

done.

Features

Online mode and offline mode (check live system or just config files)
Color coded result list
CSV export for simple post-processing
Checks for common mistakes
Checks for restricted Match-blocks
Result contains a severity indicator, description, recommendation and the configuration line in question

Download

The full source code is available on Github.