crypto-configuration.
Run ssh-audit on a stock Kinetic Kudu system
This demo relies on ssh-audit to analyze and report on the configuration of OpenSSH on Kinetic Kudu. It connects to an SSH server, performs a handshake and extracts the server's advertised configuration.
$ ssh-audit 127.0.0.1 # general banner: SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu7.1 (gen) software: OpenSSH 9.0p1 (gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) sntrup761x25519-sha512@openssh.com -- [warn] using experimental algorithm `- [info] available since OpenSSH 8.5 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 # host-key algorithms (key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2 (key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves `- [warn] using weak random number generator could reveal the key `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9. (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 # message authentication code algorithms (mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size `- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm `- [info] available since OpenSSH 6.2 (mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode `- [warn] using small 64-bit tag size `- [info] available since OpenSSH 4.7 (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode `- [warn] using weak hashing algorithm `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 # fingerprints (fin) ssh-ed25519: SHA256:+vPCaTIU89LqUir+suxvXDKZp6envMEQAg8R36MwuL8 (fin) ssh-rsa: SHA256:K5ETZ+fltVAgDxVAPSvvXyKXMiwRvBWJo+Xincv+NZs # algorithm recommendations (for OpenSSH 9.0) (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -ecdsa-sha2-nistp256 -- key algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -sntrup761x25519-sha512@openssh.com -- kex algorithm to remove (rec) -umac-128@openssh.com -- mac algorithm to remove (rec) -umac-64-etm@openssh.com -- mac algorithm to remove (rec) -umac-64@openssh.com -- mac algorithm to remove # additional info (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
Create the hardened profile for OpenSSH
Create a configuration chunk that removes the algorithms that we want to exclude.
$ cat /etc/cc/hardened/openssh/10-crypto-configuration.conf KexAlgorithms -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com HostKeyAlgorithms -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 MACs -umac-64-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1Create the counterparts of this file in other profiles.
$ touch /cc/custom/openssh/10-crypto-configuration.conf $ touch /cc/default/openssh/10-crypto-configuration.confOpenSSH reads all files in
/etc/ssh/sshd_config.d: only a symlink is needed and there is no need to edit its main configuration file. At the moment, it points to the (empty) file in the default profile.
$ ln -s '/etc/cc/current/openssh/10-crypto-configuration.conf' '/etc/ssh/sshd_config.d/10-crypto-configuration.conf'
Run crypto-configuration hardened
$ crypto-configuration-switch hardened Switching crypto-configuration profile to 'hardened' (was 'default'). $ systemctl reload ssh
Run ssh-audit on a hardened system
$ ssh-audit 127.0.0.1 # general (gen) banner: SSH-2.0-OpenSSH_9.0p1 Ubuntu-1ubuntu7.1 (gen) software: OpenSSH 9.0p1 (gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 # host-key algorithms (key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9. (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 # message authentication code algorithms (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:+vPCaTIU89LqUir+suxvXDKZp6envMEQAg8R36MwuL8 (fin) ssh-rsa: SHA256:K5ETZ+fltVAgDxVAPSvvXyKXMiwRvBWJo+Xincv+NZs
Closing words
This all looks very simple, why do we even need it?
If this looked simple, then the goal is reached!
Besides the fact that this was only a demonstration, the main actual difficulty lies in the number of options, their exact meaning and consequences. Most users do not want to move to the most hardened setup and want to keep some compatibility with older software. The fact that our OpenSSH has kept these algorithms enabled is a testament to the need to move carefully.
If all that is required is a few lines of configuration and symlinks, why will it take so long?
Each given change is simple to implement but can be difficult to weigh on. If all upstream configuration values were always good, distributions and sysadmins would never need to change them.
We also need to create consistent profiles that are meaningful to users. Our profiles need to cover libraries such as openssl, gnutls and nss but also language ecosystems such as python, rust, java and go. Enabling or disabling an algorithm needs to be done across all of these in order not to create traps for users.
In some cases, code changes will also be required. For instance, python hard-codes specific openssl settings. Later on, we will also list applications that change crypto settings and make them stick to system-wide defaults. Even OpenSSH could benefit from some patches (e.g. to forbid small DH moduli).
Lastly, there are tools like ssh-audit and sslscan to report on the configuration of SSH and SSL/TLS servers respectively but I am not aware of a similar tool for Kerberos. Such tools are immensely in order not to work blindly but instead work in a manner that resembles Test-Driven Development.
But at least OpenSSH will only take a couple days, right?
OpenSSH is probably one of the simpler package to deal with but there are many more things to take into account compare to what has been shown above.
For instance, ssh-audit does not mark -sntrup761x25519-sha512@openssh.com as experimental anymore. I removed it in the hardened profile for this demo because that made the output of ssh-audit fully green but we will not merely copy a tool's preferences when actually creating the profiles. We will also need to assess the compatibility of our choices, which can be very complicated and lengthy.
I believe your planning is too pessimistic
This topic has seen little developments so far is that doing it properly requires handling all libraries, languages and applications. The work planned for the upcoming release only covers some of the libraries and languages that are in main. If we are able to finish earlier than planned, we will simply work on libraries and languages from the second or third batches.