sshd hardening with post-quantum algorithms

sshd_hardening.md

Modern(er) version of https://infosec.mozilla.org/guidelines/openssh configuration, including post-quantum algorithms.

Example usage:

./sshd_hardening.sh | tee /etc/ssh/sshd_config.d/sshd_hardening.conf
rc-service sshd restart || service sshd restart || systemctl restart sshd

Check the current runtime sshd config to make sure that the hardening is effective:

sshd -T | less

If you're still seeing:

** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

this could mean that your sshd version is ancient or there is something wrong with the configuration

You can check the sshd version with:

sshd -V

and you can also check if post-quantum algorithms are available with:

ssh -Q kex | grep -vE "^(diffie|ecdh|curve)"

this should yield at least:

sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
mlkem768x25519-sha256

sshd_hardening.sh

#!/bin/bash

kexalgos=$(ssh -Q kex | grep -vE "^diffie-hellman" | grep -E "256|384|512")
ciphers=$(ssh -Q cipher | grep -vE "\-cbc$" | grep -vE "^aes(128|192)")
macs=$(ssh -Q mac | grep -E "256|512")

# echo >>>
echo \
"
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms $(echo $kexalgos | tr -s " " ",")
Ciphers $(echo $ciphers | tr -s " " ",")
MACs $(echo $macs | tr -s " " ",")

PermitRootLogin prohibit-password
PasswordAuthentication no
MaxAuthTries 3
MaxSessions 2
UseDNS no
AllowUsers root
"
# <<< echo

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli