Hey! Just wanted to let you know about my company: Svix - Webhooks as a Service.
This post is part of my Explaining My Configs series where I explain the configuration files (and options) I use in detail. This post is the client version of my previous sshd_config post.
This post could either be read as a whole, or as a reference (click on a line to jump to its explanation).
What is this config for?
The goal of these configuration changes is to harden the security and ease the usage of the ssh client.
The config file
Click on a line to jump to its explanation.
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr # E servers Host *.enlightenment.org !e?.enlightenment.org !e?v*.enlightenment.org !git.enlightenment.org !devs.enlightenment.org ProxyCommand ssh -q tasn@e5v1.enlightenment.org -W %h:%p
Reviewing the config
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
This sets the order of preference and allowed list for server key algorithms. I used this to restrict the allowed key algorithms of servers to make sure the servers I connect to are not using outdated crypto.
While writing this post, I updated this and the next section to follow Mozilla guidelines, though I already had very similar lists before.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
These directives restrict the key-exchange algorithm, ciphers and MACs sshd will be allowed to choose. This makes sure we are not connecting to insecure servers and can help prevent against downgrade attacks.
Note: it may be possible that you won't be able to connect to some servers with these settings, mainly on out-of-date embedded devices. You can change the list to allow obsolete ciphers (check the Mozilla link above) based on host (more on that later).
Host *.enlightenment.org !e?.enlightenment.org !e?v*.enlightenment.org !git.enlightenment.org !devs.enlightenment.org
The Host directive restricts the following declarations (until the next Host or Match keyword) only to hosts matching one of the patterns after the keyword. From the ssh_config manual: A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’ (a wildcard that matches exactly one character).
In addition, patterns starting with ‘!’ means negation, and such matched patterns will be excluded.
This configuration line essentially means that all of the subdomains of enlightenment.org except for some specific patterns will have the following declarations applied to them. I excluded these domains because the following directive would either make ssh break or inefficient. More on that in the next section.
ProxyCommand ssh -q tasn@e5v1.enlightenment.org -W %h:%p
This line makes it so all the connections (to hosts matched my Host) will be tunnelled by the command listed after ProxyCommand. This is useful when connecting to servers behind a firewall. For example, in enlightenment.org we have many VMs that are not exposed to the world but we still need to connect to them sometimes (e.g. CI build machines). This command lets me tunnel my traffic through e5v1.enlightenment.org so I can pass through the firewall. I use ssh as the proxy command, but I could have used other tools for the task.
Now let's break down ssh -q tasn@e5v1.enlightenment.org -W %h:%p. This calls ssh and tells it to connect to tasn@e5v1.enlightenment.org and suppresses warning and diagnostic messages (-q). It also tunnels input and output (-W) to the host and port (%h:%p) of the surrounding command. Essentially creating a tunnel through ssh.
Please let me know if you spotted any mistakes or have any suggestions, and follow me on Twitter or RSS for updates.