ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard
verified publisher icon jtesta

Don't recommend editing /etc/ssh/sshd_config directly on Debian or derivatives

Open cjwatson opened this issue 11 months ago • 4 comments

For Debian and its derivatives, https://www.ssh-audit.com/hardening_guides.html has something like this in each case:

echo -e "\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config

This has two problems.

Firstly, please don't advise people to append text directly to /etc/ssh/sshd_config, as it may cause configuration file conflicts on upgrades that they'll need to resolve; you're already using /etc/ssh/sshd_config.d/ssh-audit_hardening.conf elsewhere, so you might as well do so consistently.

Secondly, in general the fewer configuration options you need to set the better, and I think these are completely unnecessary. You already ensured in a previous step that only the host keys that your guide prescribes are present, and the selection order is essentially controlled by the ordering of the client's proposal anyway. I think you can just remove this step entirely and simplify your guide.

cjwatson avatar Jan 27 '25 12:01 cjwatson

Correct. Do not edit the ssh_config/sshd_config in /etc/ssh.

Do insert app-specific or system-harden-specific under their corresponding /etc/ssh/ssh_config.d or /etc/ssh/sshd_config.d subdirectory.

Pay attention to ordering of SSH command, notable after Match statements.

There are some easy bash scripts to deal with this.

https://github.com/egberts/easy-admin/tree/main/490-net-ssh

egberts avatar Jan 29 '25 00:01 egberts

Thanks for the feedback! Next block of free time I get, I'll see what happens when the changes to sshd_config are removed.

The reason they were included to begin with is that, in the past, some systems would automatically re-generate DSA & ECDSA keys and activate them when no HostKey directives were explicitly mentioned. Perhaps newer systems no longer do this.

Thanks again!

jtesta avatar Jan 29 '25 16:01 jtesta

I know I've been behind in this, but two things I should mention are: 1.) I'll be putting more time into it soon, and 2.) I plan on putting the hardening guides into a git repo so that the community can make PRs directly!

jtesta avatar Jul 26 '25 21:07 jtesta

One good reason for switchign to blacklists includes this: if the hardening script creates files, they can remain there and not block newer algorithms on upgrade. Here, I've put hardening in those files:

/etc/ssh/ssh_config.d/ssh-audit_hardening.conf /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

perkelix avatar Sep 06 '25 12:09 perkelix

@jtesta @egberts @cjwatson Hello All,

I have made an attempt to migrate the SSH Hardening Guides from here : https://www.ssh-audit.com/hardening_guides.html into Github pages.

Repo here : https://github.com/oam7575/ssh_hardening_guides

Git hub pages here : https://oam7575.github.io/ssh_hardening_guides/index.html

Typing mistakes aside; the git version should be one to one with the ssh-audit page with several minor exceptions being

  • Legacy Guides have been split to their own HTML
  • Clients have been split to their own HTML
  • Logos have been moved into a sub directory

@jtesta I split the legacy / client / logos out with the thought that you wanted the community to be able to make PRs for faster updates, so thought it best to start splitting things up a bit from the beginning.

Feel free to clone the repo or send comments.

Cheers OAM

oam7575 avatar Dec 13 '25 07:12 oam7575