* Re-generate (and enable) the RSA and ED25519 keys

* Remove small Diffie-Hellman moduli

* Restrict supported key exchange, cipher, and MAC algorithms

As an ignorant of security matters, my obvious question is: if these are such an important thing to configure, why servers don't come with them done by default? There must be thousands of people who don't know about this guide, don't necessarily know a lot about security hardening, and would benefit from more secure defaults.

I get "because compatibility" might be a reason, but that would only maybe apply to the last point, wouldn't it?

[1]: https://www.ssh-audit.com/hardening_guides.html

That is not to say that any of those things actually happened; it’s just that the most paranoid/defense-oriented view is not to trust what the OS did for you, but to do it yourself.

A distro provider is incentivized to find a local optimum between security and compatibility and has no idea about your environment.

You have much more context about your environment- you know what you need to connect to, what needs to connect to you, and what ciphers, key length, and other configuration that you must support. Therefore if you take all that into account you might be able to optimize for security by disabling compatibility options you don’t need.

BTW this answer is pretty much the same when it comes to hardening any security feature of any OS. Vendors/distributors do a good job of hardening but you might be able to lock things down just a little further.

As long as that's what you actually do. If instead you want a checklist to blindly execute to "harden" your system, then the grandparent commenter is correct: either your can accept that your distribution's defaults are actually good enough, or you're removing functionality such that you'll find a hurdle you've left for yourself sooner or later.

I reckon on average a distro ssh maintainer is more aware than an average end user following a hardening guide, even with mistakes like that one.

I'm unsure of ssh_host_* and it's importance, however on some hosts I manage the "ssh_host_rsa" key is only 2048 bits. Would regenerating "ssh_host_rsa" to be larger (4096 bits) not be an improvement?

Just to give two examples: It recommends disabling diffie hellman with 2048 bit. There isn't even the slightest evidence that any attack might be possible on that size. It's just based on some policy recommendations that convert DH size to key strength and it ends up being below 128 bit.

It recommends disabling HMAC-SHA1. Now, SHA1 is not collission resistant. But HMAC is not affected by this weakness. Therefore there's no real risk.

Generally, OpenSSH has already improved algorithm security quite a lot over the years and everything that is remotely close to a real attack is disabled by default.

On another note, this helped me solve a an issue [1], where I could not disable some weak HMAC algorithms.

[1]: https://unix.stackexchange.com/q/758814/380381

Unfortunately, Dropbear doesn't appear to support any Encrypt-then-MAC algorithms, so I can't get my swarm of OpenWRT routers all green.

I'll figure it out. I'm currently planning the update to 23.05, anyway.

If you're compiling OpenWRT yourself, you can easily just switch them out in your base image, too.

[1] https://openwrt.org/docs/guide-user/additional-software/extr...

[1] https://gitlab.com/engmark/root/-/merge_requests/395/diffs

That seems a bit paranoid

Webcrypto had missing support in some browsers too (though that was rsa-only on firefox for a while, unsure if ed25519 was added)

If they got to DJB, there is nothing we can do except nuke ourselves pre-emptively!

https://securitycryptographywhatever.com/2023/10/12/the-nist...

That most do TOFU wrong¹ does not make TOFU itself insecure.

Most do do TOFU wrong though. In DayJob I run an SFTP-to-Azure-storage relay⁴ for clients to send automated feeds from third-party systems via that method⁵, and it wasn't until one client reported getting the wrong fingerprint that we noticed we were outputting the UAT and Live system values back-to-front in the on-boarding details, and had been doing for some time so at least a few other clients⁶ had just blindly accepted a different fingerprint to the documented one…

--

[1] Anyone else remember way way way back² when browsers stopped trusting self-signed certificates, or at least started shouting loudly about them? There was many a heated discussion with some who kept repeating “well TOFU is good enough for SSH” and wouldn't accept that 1. TOFU isn't as secure as they think it is the way they are using it and 2. They were accepting the risk for only themselves³ with SSH & TOFU-done-a-bit-wrong, which might be OK to them, but with HTTPS+TOFU on public sites they were essentially making that risk choice for everyone, which is not OK.

[2] somewhere in the very early 2000s?

[3] and their users

[4] Until recently there was no built-in support for this in Azure, and the recently-left-preview implementation is ~£186 per month per storage account which works out very expensive for our current storage-account-per-client layout (so without a refactor that might breach our client data separation policies running a small VM⁷ with my BIY service built around Blob-FUSE works out far cheaper)

[5] We offer “more modern” APIs for such things too, but SFTP is still the most widely supported method (often the only supported method) by the other software/infrastructure used by our clients

[6] and these are investment banks, who you'd like to think were properly paranoid about a transport mechanism they'll be sending business information and customer PII through…

[7] actually, a couple of small VMs and a little infrastructure for HA

If verifying the fingerprint is such a key aspect of TOFU, then the dialog should be an input instead of an output. "Input here the expected fingerprint" in order to allow connecting. You'd have received it by some other means, and would type or copy-paste it into the terminal to finish the verification process. Et voila, safe TOFU completed!

https://en.m.wikipedia.org/wiki/Trust_on_first_use

>If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database.

Verifying the fingerprint out-of-band is the opposite of TOFU. TOFU is generally understood to mean not verifying it, but flagging if it changes later.

In other words it's secure if you don't do TOFU and do out-of-band verification instead.