Harden SSH in CentOS 8

Support for security such as Firewalls and securing linux
Post Reply
User avatar
KernelOops
Posts: 174
Joined: 2013/12/18 15:04:03
Location: xfs file system

Harden SSH in CentOS 8

Post by KernelOops » 2019/12/28 18:15:58

Its important to restrict SSH to specific high-grade ciphers, macs and keys. The default setup is rather "loose" for backwards compatibility.

A typical hardened setup uses the following changes in /etc/ssh/sshd_config:

Code: Select all

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
Unfortunately, the above lines won't work in CentOS 8 because the sshd daemon is called with separate parameters that override the sshd_config options. If you look at the sshd service (/usr/lib/systemd/system/sshd.service) you will find the $CRYPTO_POLICY variable that is read by the service from the current "crypto policy", a major difference from CentOS 7.

To actually make changes, we need to modify the current policy, which by default its called.... DEFAULT. The file that contains the crypto policy for sshd is /etc/crypto-policies/back-ends/opensshserver.config, which is a symbolic link to the default policy at /usr/share/crypto-policies/DEFAULT/opensshserver.txt, which we modify as:

Code: Select all

CRYPTO_POLICY='-oCiphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com -oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256@libssh.org -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com'
Now a "systemctl restart sshd" should give you a hardened sshd. Of course I expect everyone to use keys, so all other modifications that you usually do still apply.
--
I love my computer - all my friends live there.
--

User avatar
jlehtone
Posts: 2482
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Harden SSH in CentOS 8

Post by jlehtone » 2019/12/29 12:04:40

Interesting.

Most of those files belong to 'crypto-policies' package, that has also man pages: 'crypto-policies' and 'update-crypto-policies'.
How much does FUTURE differ from your hardening?

'nss-3.44.0-8.el8' has dropped in file /etc/crypto-policies/local.d/nss-p11-kit.config that the update-crypto-policies has merged;
the /etc/crypto-policies/back-ends/nss.config is a file, rather than symlink.
Alas, manual says that the local.d overrides do not apply to ssh and sshserver.

Post Reply

Return to “CentOS 8 - Security Support”