A Golang implementation of sshsecure.py - harden OpenSSH. https://r00t2.io/
Go to file
2020-09-18 18:01:16 -04:00
moduli adding GPL 2020-09-18 18:01:16 -04:00
sshkeys adding GPL 2020-09-18 18:01:16 -04:00
.gitignore initial commit 2020-08-31 03:22:37 -04:00
go.mod checking in some more research and primitive functions. i cannot, for the life of me, figure out why i can't (seemingly) properly decrypt private keys. 2020-09-17 08:37:05 -04:00
go.sum checking in some more research and primitive functions. i cannot, for the life of me, figure out why i can't (seemingly) properly decrypt private keys. 2020-09-17 08:37:05 -04:00
LICENSE adding GPL 2020-09-18 18:01:16 -04:00
README.md adding GPL 2020-09-18 18:01:16 -04:00
TODO adding GPL 2020-09-18 18:01:16 -04:00

SSHSecure

Why?

Compared to something like rsh, SSH (Secure SHell) is a vast step ahead in terms of security. Since its birth, it's seen functionality increase by leaps and bounds. OpenSSH, by far the most deployed SSH implementation, pays special attention to security. However, due to:

  • making various compromises for ease of use
  • unexpected vulnerabilities (are there ever any expected vulnerabilities?) such as Logjam
  • those deploying SSH not being cryptographic experts
  • the NSA making a concerted effort to compromise OpenSSH
  • etc.

the default configuration and keys used may not be the strongest they can be (and in some cases, user configuration can be downright dangerous to security).

This software will harden your OpenSSH security as much as possible to currently known weaknesses.

How?

This program will generate/replace:

  • your hostkeys (typically /etc/ssh/ssh_host_*_key*)
  • the client keys (~/.ssh/id_*) for the running user
  • your sshd (server) configuration (typically /etc/ssh/sshd_config)
  • your system-wide ssh (client) configuration (typically /etc/ssh/ssh_config)
  • the ssh (client) configuration for the running user (~/.ssh/config)
  • the SSH DH parameters (typically /etc/ssh/moduli)

with much stronger implementations from typical/upstream defaults.

It takes the recommendations from Secure Secure Shell (and perhaps other sources) and automatically applies them.

It will create backups of any file(s) it replaces and automatically rolls back sshd configuration changes if it does not pass the syntax check (sshd -t) to avoid accidentally locking you out.

The first time you run it, it will quite possibly take a very long time. This is because it's generating fresh DH parameters, which is a very time-consuming process. Subsequent runs will not take as long, however, as checks are put in place to determine if custom DH parameters have been generated or not yet. If it's running on a GNU/Linux system and you have haveged installed, that will significantly speed up the process (SSHSecure will start it automatically if it isn't running already).

FAQ

Why a binary?

I originally wrote this as a python script. However, some machines don't have the python interpreter installed and due to the lack of low-level access, I ended up making a lot of calls to the shell anyways.

I wrote it in Golang so the source would be easily read for audit purposes.