Harden SSH in CentOS 8
Posted: 2019/12/28 18:15:58
Its important to restrict SSH to specific high-grade ciphers, macs and keys. The default setup is rather "loose" for backwards compatibility.
A typical hardened setup uses the following changes in /etc/ssh/sshd_config:
Unfortunately, the above lines won't work in CentOS 8 because the sshd daemon is called with separate parameters that override the sshd_config options. If you look at the sshd service (/usr/lib/systemd/system/sshd.service) you will find the $CRYPTO_POLICY variable that is read by the service from the current "crypto policy", a major difference from CentOS 7.
To actually make changes, we need to modify the current policy, which by default its called.... DEFAULT. The file that contains the crypto policy for sshd is /etc/crypto-policies/back-ends/opensshserver.config, which is a symbolic link to the default policy at /usr/share/crypto-policies/DEFAULT/opensshserver.txt, which we modify as:
Now a "systemctl restart sshd" should give you a hardened sshd. Of course I expect everyone to use keys, so all other modifications that you usually do still apply.
A typical hardened setup uses the following changes in /etc/ssh/sshd_config:
Code: Select all
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
To actually make changes, we need to modify the current policy, which by default its called.... DEFAULT. The file that contains the crypto policy for sshd is /etc/crypto-policies/back-ends/opensshserver.config, which is a symbolic link to the default policy at /usr/share/crypto-policies/DEFAULT/opensshserver.txt, which we modify as:
Code: Select all
CRYPTO_POLICY='-oCiphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com -oMACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256@libssh.org -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com'