SSH (secure shell) is a widely-used protocol for remote administration of Unix and Linux servers. The default configuration of many SSH server implementations includes several potentially insecure settings so as to maintain compatibility with outdated client software. The ssh-audit tool (website, GitHub) can be used to check the server settings and recommend changes so as to improve security.
Installation
SSH-audit is a Python package and is available through PyPI (pip install ssh-audit). Distribution packages are available for Debian GNU/Linux (including Debian-based distributions such as Ubuntu and Kali) and FreeBSD. (See pkgs.org for details.) The source code is hosted on GitHub and is available under the MIT License.
Usage
To scan a server, simply run ssh-audit <server> in a terminal. This will print a report showing version numbers and supported cryptographic algorithms, classified into [info] (no known problems), [warn] (minor problems), and [fail] (major vulnerabilities). On terminals supporting coloured output, these categories will also be colour-coded green, orange and red respectively.
As an example, here is the output from scanning an OpenSSH server running on Ubuntu 18.04 with the default configuration:
# general
(gen) banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
(gen) software: OpenSSH 7.6p1
(gen) compatibility: OpenSSH 7.3+, Dropbear SSH 2016.73+
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256 -- [warn] unknown algorithm
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
`- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
(key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
# message authentication code algorithms
(mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 6.2
(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 6.2
(mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode
`- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 4.7
(mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
`- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
# algorithm recommendations (for OpenSSH 7.6)
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-64@openssh.com -- mac algorithm to remove
(rec) -umac-128@openssh.com -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com -- mac algorithm to remove
There are options to filter with a minimum severity, increase or decrease the verbosity of the output, or control the network connection. Run ssh-audit --help for more details.
Implementing the recommendations
If the scanned server is using vulnerable algorithms, ssh-audit will end its report with a list of recommendations for algorithms to disable.
For example, the ecdsa-sha2-nistp256 digital signature algorithm is considered unsafe because the NIST P-256 elliptic curve has some unexplained parameter choices which could contain a backdoor - see Daniel J. Bernstein’s SafeCurves website for more information.
The ssh-audit website has some SSH hardening guides for various operating systems.
For the commonly-used OpenSSH server, the relevant configuration file is /etc/ssh/sshd_config. The configuration options are defined in the manual: run man sshd_config or see the online manual. The relevant configuration options that should be edited are:
-
KexAlgorithms- this corresponds to the(kex)recommendations. -
HostKeyAlgorithms- this corresponds to the(key)recommendations. -
Ciphers- this corresponds to the(enc)recommendations. -
MACs- this corresponds to the(mac)recommendations. If these settings are not already present in the file then you can add them, but make sure to put them before anyMatchsections so that they apply to all connections.
The following settings are not checked by ssh-audit but they also describe signature algorithms, meaning that the recommendations for HostKeyAlgorithms are equally valid
CASignatureAlgorithmsHostbasedAcceptedKeyTypesPubkeyAcceptedKeyTypes
Host key trust problems
Caution Changing the HostKeyAlgorithms line can cause clients to get a scary warning message about the host key changing:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The best way to avoid this is to have all clients add UpdateHostKeys yes (or UpdateHostKeys ask for the paranoid) to their SSH client configuration (~/.ssh/config for OpenSSH) and log in to the SSH server before the HostKeyAlgorithms option is changed.
This will ensure that all the server’s host keys are stored in the client’s known_hosts file so that, even if one of them is disabled by the HostKeyAlgorithms change, the other host keys will already be trusted by the client.
Conclusion
The ssh-audit tool is easy to install and run, and the recommendations can be applied easily (with the exception of HostKeyAlgorithms - see the above caution).
However, because it only checks the initial stage of protocol negotiation, before the user authentication process has begun, ssh-audit is not able to detect insecure authentication settings.
For a fully hardened SSH server, you should also audit the permitted authentication methods.
