OPNsense SSH hardening

[Hover]

Hello Folks,

just had a look on the SSH service default configuration and was wondering why it supports so may outdated key, kex and mac algorithms.

Why not hardening it?

Code Select Expand


$ ssh-audit opnsense
[...]
# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-64@openssh.com                  -- mac algorithm to remove
(rec) -umac-128@openssh.com                 -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove


The argument is probably backwards compatibility, but I thought OPNsens is the firewall for the paranoid ones ;)

Maybe not like here, but in general

Best Regards,
Hover

[banym]

Per default SSH is disabled
If it is enabled it is not avaialabe until you add rules to access in the firewall.
You should not open it for the world and if you use an up to date client it should use the more secure ciphers and MACs by default.

But you are right, it should be secure by default.

[Hover]

Maybe a good issue to report...

[bartjsmit]

Maybe a good issue to report...

Go for it! https://github.com/opnsense/core/issues

Bart...

[banym]

+1