Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure sshd defaults #561

Closed
2 tasks done
swalkinshaw opened this issue Apr 12, 2016 · 8 comments
Closed
2 tasks done

More secure sshd defaults #561

swalkinshaw opened this issue Apr 12, 2016 · 8 comments
Labels
enhancement under development

Comments

@swalkinshaw
Copy link
Member

Submit a feature request or bug report

  • This is a feature request
  • This request isn't a duplicate of an existing issue

What is the current behavior?

sshd may result in insecure-defaults like using RC4 cypher.

What is the expected or desired behavior?

Just like with SSL we should have better more secure defaults for sshd.

Feature Request

Please provide use cases for changing the current behavior:

Security!

Other relevant information:

See https://discourse.roots.io/t/do-we-need-ssh-rc4-cipher-enabled/6438/6
@aried3r
Copy link

aried3r commented Apr 17, 2016

I'm very interested in this, any idea how is this going to be tackled? Using something like ansible-ssh-hardening or doing your own?

@swalkinshaw
Copy link
Member Author

@aried3r that role looks decent from a quick glance. We could use something like that or just add our own changes to the sshd config.

We're actually already using another role that we imported: https://github.com/roots/trellis/tree/master/roles/sshd

So we could switch or just update that template. If you're interested in helping let us know 👍

@aried3r
Copy link

aried3r commented May 26, 2016

I'm interested. :)

Personally, I'd use ansible-ssh-hardening because it is maintained so changes there don't have to be reflected and implemented in your own config, especially with vulnerabilities showing up.

What do you think?

@swalkinshaw
Copy link
Member Author

@aried3r sorry never replied to this. https://github.com/dev-sec/ansible-ssh-hardening looks good. Would you be interested in implementing it?

@isynergy-development
Copy link

@swalkinshaw Is this still something you want to see implemented? I never saw ansible-ssh-hardening before and now I'm most likely going to integrate it with my setup.

@swalkinshaw
Copy link
Member Author

@isynergy-development yep 👍

@RiFi2k
Copy link
Contributor

RiFi2k commented Dec 4, 2016

@swalkinshaw I got this pretty much finished, I currently have tested it locally and have it deployed on my live staging server.

Just need to test and verify sftp is still going to be working as expected because ssh-hardening is using internal-sftp with chroot directories (which is safer anyways) but obviously users that are used to using sftp will most likely want to access the web root instead of the user home folder which is default. I only use ssh in my normal day to day but I'm going to try and make a point to finish up this test and submit a PR soon.

@RiFi2k RiFi2k mentioned this issue Dec 6, 2016
Merged
@fullyint fullyint mentioned this issue Dec 25, 2016
Closed
@fullyint fullyint mentioned this issue Jan 29, 2017
Merged
@fullyint
Copy link
Contributor

closed by #744

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement under development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@swalkinshaw @aried3r @fullyint @RiFi2k @isynergy-development