Secure Shell (SSH) is a method to securely communicate between computers. This page will discuss SSH under the context of the OpenSSH server.


Theory & Cryptography[edit | edit source]

SSH supports different key exchange algorithms, ciphers, and message authentication codes (MACs). The server and client negotiates and chooses a set of these algorithms that are supported by both and then proceeds with the key exchange.

Key Exchange[edit | edit source]

SSH handles key exchange using one of two ways: Diffie-Hellman and Elliptic Curve Diffie-Hellman. A shared secret is generated between the client and server for every session which will be used as the key, thereby providing forward secrecy.

Diffie-Hellman works with a multiplicative group of integers modulo a prime. Its security is based on the hardness of the discrete logarithm problem.

Elliptic Curve Diffie-Hellman works with elliptic curves over finite fields. Its security is based on the hardness of the elliptic curve discrete logarithm problem.

Authentication[edit | edit source]

With a shared secret derived from Diffie-Hellman, the client and server need to prove to each other they are who they are.

The server proves its identity to the client by signing the shared secret (the key) using a public key algorithm.

The client proves its identity to the server by using:

  1. Password authentication
  2. Public Key Authentication (same as the server's)

Symmetric Ciphers[edit | edit source]

With a shared key in place, data can be encrypted and decrypted between the client and server using symmetric ciphers.

Message Authentication Codes[edit | edit source]

Message authentication codes provide integrity. An authenticated encryption cipher mode already provides integrity, so extra MACs are not used. MACs are calculated and attached to every message if CTR is used.

There are multiple ways to combine ciphers and MACs:

  • Encrypt-then-MAC: encrypt the message, then attach the MAC of the ciphertext.
  • MAC-then-encrypt: attach the MAC of the plaintext, then encrypt everything.
  • Encrypt-and-MAC: encrypt the message, then attach the MAC of the plaintext.

MAC-then-encrypt and Encrypt-and-MAC are prone to leak information because attackers can control an aspect of the system and perform timing attacks (eg: verifying a message vs. decrypting a message for Encrypt-and-MAC).


Configuration[edit | edit source]

Server-side Configuration[edit | edit source]

Here are a few things you should do on the server side configuration to secure OpenSSH.

Disable Weak Key Exchange Protocols[edit | edit source]

SSH supports a few protocols containing different factors:

  1. ECDH curve choice
  2. Bit size of the DH modulus
  3. The hash function.

To provide good security:

  • Avoid NIST curves - they leak data and cannot be trusted.
  • Bit sizes smaller than 1024 does not provide sufficient security
  • Do not use SHA1

This means, your sshd_config should contain:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

And your ssh_config should contain:

Host *
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Prime numbers smaller than 2000 bits should also be removed from the /etc/ssh/moduli file (the 5th column).

Disable Weak Server Authentication[edit | edit source]

There are 4 public key algorithms for server authentication.

  1. DSA with SHA1
  2. ECDSA with SHA256, SHA384 or SHA512 depending on key size
  3. Ed25519 with SHA512
  4. RSA with SHA1

For security:

  1. Do not use SSH v1
  2. Avoid DSA which requires exactly 1024 bits.
  3. Avoid NIST (ECDSA uses it)
  4. DSA and ECDSA requires randomness for its signatures. If random numbers are bad, it is possible to recover the secret key.

Using SHA1 here is not an issue if the value being signed is using something stronger (eg SHA2).

Your sshd_config should contain:

Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

Disable Weak Symmetric Ciphers[edit | edit source]

For security:

  1. Do not use DES and RC4 ciphers
  2. At least 128 bits
  3. Do not use Blowfish and Cast128 block ciphers since they use 64 bit block sizes.
  4. Authenticated Encryption ciphers should be used so MAC isn't required. But CTR with Encrypt then MAC is also fine.

Your sshd_config should contain:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Your ssh_config should contain:

Host *
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Disable Weak MACs[edit | edit source]

For security:

  1. Do not use MD5 or SHA1 hashing algorithms
  2. Encrypt-then-MAC only
  3. Tag and key size must be at least 128 bits

Your sshd_config should contain:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

PermitRootLogin[edit | edit source]

The PermitRootLogin option specifies whether root can log in. It must be one of:

  1. yes to allow root login with password or public key authentication.
  2. no to disallow root login.
  3. prohibit-password to only allow public key authentication for login. This is the default. without-password is a deprecated alias.
  4. force-commands-only to only allow public key authentication for commands.

Client-side Configuration[edit | edit source]

You can customize SSH's default behavior using a SSH configuration file located at ~/.ssh/config.

Defining custom hosts in your SSH config file allows you to connect to a host by its name without needing to specify details such as username, port, and keys.

Host dev
    HostName dev.example.com
    Port 2222
    User leo

With the host defined, connecting to dev.example.com only requires executing ssh dev without any other arguments required.

Use Case: GitHub[edit | edit source]

If you ever have more than one set of SSH private keys, defining a custom host is virtually required in order to make use of services such as GitHub or GitLab where pushing git changes requires key based SSH authentication.

Host github.com
    User git
    Port 22
    IdentityFile ~/.ssh/github_rsa

With that defined, ssh github.com will connect you as git using the private key github_rsa.

Tips & Tricks with SSH[edit | edit source]

Tar Pipe[edit | edit source]

You can send files via SSH using tar:

# tar -czvf - /dir | ssh root@server "cat > ~/dir.tar.gz"

Forward Tunnel[edit | edit source]

You can create a tunnel through your SSH connection to access services that may be behind a firewall or NAT. There are 3 types of tunnels:

Local, to access a specific port on the host you are connected to. Local tunnels allow you to access a remote port locally. You can forward any port to access a remote TCP service that may be behind a firewall.

Local Tunnel via SSH

You can create a local tunnel with the -L local_port:remote_address:remote_port.

Remote, to access a specific port on the client machine from the server:

Remote Tunnel via SSH

You can create a remote tunnel using -L remote_port:local_address:local_port.

Dynamic, to use the server as a proxy.

Dynamic Tunnel via SSH

You can create a dynamic tunnel using -D local_port. Use 127.0.0.1:local_port as a SOCKS5 proxy.

Host Config[edit | edit source]

You may customize a host within the ~/.ssh/config file and use a shorthand name to connect to servers. For example:

Host xyz
    Hostname full.host.name.com  (or 1.2.3.4)
    User my-username
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_x_ed25519

The shorthand name xyz can then be used with ssh xyz.

SSH Connection Sharing[edit | edit source]

If you have multiple SSH connections to a server, you may want to enable ControlMaster and ControlPath so that subsequent connections shares the existing TCP connection. This will cause SSH to multiplex multiple sessions through the single connection reducing the need to authenticate again. Keep in mind that the first connection must remain open for the other sessions to work.

Host x
    ...
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p

This feature is nice for scripts that rely heavily on executing commands on a remote server.

Proxy Jump[edit | edit source]

You can use a host as an intermediate server transparently.

ssh -J user@intermediate user@finaldestination
ssh -J user@intermediate1,user@intermediate2 user@finaldestination

This is equivalent to setting the host with the ProxyJump option:

Host finaldestination
    ProxyJump user@intermediate
ssh user@finaldestination

Using hostname matching in the SSH configuration file, you can make a '-via-x' suffix that will automatically do the proxying. More information at https://jloh.co/posts/dynamic-ssh-jump-hosts/, but the gist of it is to define:

Host *-via-dc1
    ProxyCommand ssh you@jump-01.example.com nc $(echo %h | sed 's/-via-dc1$//') %p

Copying Public Key[edit | edit source]

Use the ssh-copy-id command to automatically append to a remote host's .ssh/authorized_keys file.

$ ssh-copy-id -i ~/.ssh/id_x_ed25519.pub x

Alternatively, use

$ cat ~/.ssh/id_x_ed25519.pub

Custom MOTD for specific users or groups[edit | edit source]

The /etc/ssh/sshd_config allows conditional options applied to specific users or groups (or many other criteria) using the Match directive.

To show a specific user a custom login banner:

Match User leo
        Banner /etc/motd-leo

This applies to groups as well:

Match Group awesome-group
        Banner /etc/motd-group

Reload the SSH daemon to apply.

See Also[edit | edit source]

Enable Dark Mode!