Audit sshd features

[knweiss]

There's the sshd -T feature. It checks the validity of the /etc/ssh/sshd_config configuration file and outputs the effective configuration to stdout and then exits.

I thought this may be an interesting and easy way to audit the effective server settings.

I.e. it would be possible to not only check the configured algorithms but also insecure or dangerous features (e.g. X11Forwarding, Agent-Forwarding, etc).

Obviously, this check would only run locally (i.e. not remote) but it would make sshd hardening easier.

[knweiss]

Also, checking the bit sizes of the configured SSH host keys (e.g. RSA >= 2048 bit) would be another useful local check.