Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add OpenSSH 8 recommendations

See original GitHub issue

Hi Joe,

The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

# algorithm recommendations (for OpenSSH 7.6)
...

Issue Analytics

State:
Created 4 years ago
Comments:11 (5 by maintainers)

Top GitHub Comments

1reaction

jtestacommented, Aug 23, 2019

I followed this guide since published: https://stribika.github.io/2015/01/04/secure-secure-shell.html

That’s funny, because that exact same guide is what got me into this SSH hardening topic years ago! It hasn’t been updated in a while, though, so I made my own based on it here: https://www.sshaudit.com/hardening_guides.html.

The Encrypt-and-MAC design introduced much more attack surface (see DJM’s blog post about it here; he’s the OpenSSH maintainer: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html). Encrypt-then-MAC (ETM) doesn’t have these problems, but they introduce another issue: the plaintext packet lengths are exposed. So the question is: is it better to use the EAM algorithms with their problems, or ETM and get a higher risk of traffic analysis? Generally, it seems people are leaning towards ETM being a little bit better.

(rec) -hmac-sha2-256                        -- mac algorithm to remove         
(rec) -hmac-sha2-512                        -- mac algorithm to remove         
(rec) -umac-128@openssh.com                 -- mac algorithm to remove

The above algorithms are flagged as warnings (not failures), because they use the EAM method instead of ETM. The tool recommends that all algorithms that have at least warnings be removed. I didn’t change this behavior; that’s how it worked before.

0reactions

immanuelfodorcommented, Aug 27, 2019

Wow, bookmarked it!

Top Results From Across the Web

How to Install OpenSSH 8.0 Server from Source in Linux

In this article, we will explain how to install and configure the latest version of OpenSSH 8.0 server and client on a Linux...

How to Install OpenSSH 8 Server from Source in Linux?

First of all, we will install all the dependencies, before installing OpenSSH (make to build and install the source code, wget to download...

Release Notes - OpenSSH

sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client ... OpenSSH recommends the use of libfido2 1.5.0 or greater.

Building and configuring OpenSSH - Steve Friedl

Post-Install Configuration · Insure that sshd gets launched properly at system startup. In our installation, the daemon is located in /usr/local/sbin instead of ......

Install openssh-server 8.0p1 on Ubuntu 18.04.3 LTS

To upgrade openssh from 7.6 to 8.0 on Ubuntu 18.04 (bionic), I followed the instructions given here. The version I started with: