Don't recommend editing /etc/ssh/sshd_config directly on Debian or derivatives

[cjwatson]

For Debian and its derivatives, https://www.ssh-audit.com/hardening_guides.html has something like this in each case:

echo -e "\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config

This has two problems.

Firstly, please don't advise people to append text directly to /etc/ssh/sshd_config, as it may cause configuration file conflicts on upgrades that they'll need to resolve; you're already using /etc/ssh/sshd_config.d/ssh-audit_hardening.conf elsewhere, so you might as well do so consistently.

Secondly, in general the fewer configuration options you need to set the better, and I think these are completely unnecessary. You already ensured in a previous step that only the host keys that your guide prescribes are present, and the selection order is essentially controlled by the ordering of the client's proposal anyway. I think you can just remove this step entirely and simplify your guide.

[egberts]

Correct. Do not edit the ssh_config/sshd_config in /etc/ssh.

Do insert app-specific or system-harden-specific under their corresponding /etc/ssh/ssh_config.d or /etc/ssh/sshd_config.d subdirectory.

Pay attention to ordering of SSH command, notable after Match statements.

There are some easy bash scripts to deal with this.

https://github.com/egberts/easy-admin/tree/main/490-net-ssh

[jtesta]

Thanks for the feedback! Next block of free time I get, I'll see what happens when the changes to sshd_config are removed. The reason they were included to begin with is that, in the past, some systems would automatically re-generate DSA & ECDSA keys and activate them when no HostKey directives were explicitly mentioned. Perhaps newer systems no longer do this. Thanks again!

[jtesta]

I know I've been behind in this, but two things I should mention are: 1.) I'll be putting more time into it soon, and 2.) I plan on putting the hardening guides into a git repo so that the community can make PRs directly!

[perkelix]

One good reason for switchign to blacklists includes this: if the hardening script creates files, they can remain there and not block newer algorithms on upgrade. Here, I've put hardening in those files:

/etc/ssh/ssh_config.d/ssh-audit_hardening.conf
/etc/ssh/sshd_config.d/ssh-audit_hardening.conf

[oam7575]

@jtesta @egberts @cjwatson
Hello All,

I have made an attempt to migrate the SSH Hardening Guides from here : https://www.ssh-audit.com/hardening_guides.html into Github pages.

Repo here : https://github.com/oam7575/ssh_hardening_guides

Git hub pages here : https://oam7575.github.io/ssh_hardening_guides/index.html

Typing mistakes aside; the git version should be one to one with the ssh-audit page with several minor exceptions being

• Legacy Guides have been split to their own HTML
• Clients have been split to their own HTML
• Logos have been moved into a sub directory

@jtesta
I split the legacy / client / logos out with the thought that you wanted the community to be able to make PRs for faster updates, so thought it best to start splitting things up a bit from the beginning.

Feel free to clone the repo or send comments.

Cheers
OAM

[egberts]

Nice. In the cut-n-paste regions, might be more readable if the configure keys were new-lined, and backslashes were appeneded at the end of each line (except for the last line of each key).

[oam7575]

Hi Egberts.

Regarding readability, I agree with your thoughts for the new lines.

Looking into that - I have realized that my formatting of the HTML has broken the copy/paste due to new lines and CR in the raw html.

I have made an update to the Ubuntu 24.04 Server guide as an example / test of some changes before updating anything else.
https://oam7575.github.io/ssh_hardening_guides/index.html#ubuntu_24_04_lts

Thoughts?

[egberts]

One good reason for switchign to blacklists includes this: if the hardening script creates files, they can remain there and not block newer algorithms on upgrade. Here, I've put hardening in those files:

/etc/ssh/ssh_config.d/ssh-audit_hardening.conf
/etc/ssh/sshd_config.d/ssh-audit_hardening.conf

One last thing with regard to the two subdirectories of ssh[d]_config.d name is that ordering of files read are in strictly alphanumeric order.

Most installation use 2-3 digit numeric prefix to handle all their ordering.

If i may, suggest using 'zzz_' as such prefix notation like in 'zzz_ssh[d]_audit_hardening'

And if such a file were to be created, to post output a warning that breakup may be required to ensure that it doesn't fall into one of those subdirectories setup that is missing an 'all match'.

'match address all' may or may not be the last one. There could be a set of 'non-matchable' keyword directive config after that match-all.