- Windows Ssh Client Openssh
- Secure Shell Client Download
- Openssh Secure Shell Client
- Openssh Ssh Client Portal
OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods,. One of the biggest and most welcome changes to the Windows 10 1809 update and in Windows Server 2019 was the addition of the OpenSSH Client and OpenSSH Server features. It is now incredibly easy to SSH into a Windows Workstation/Server using native tools that are now builtin to the Operating System. Currently, 'blowfish', '3des', and 'des' are supported. Des is only supported in the ssh (1) client for interoperability with legacy protocol 1 implementations that do not support the 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. The default is '3des'.
The goal of this document is to help operational teams with the configuration of OpenSSH server and client.All Mozilla sites and deployment should follow the recommendations below.The Security Assurance and Security Operations teams maintain this document as a reference guide.
Most default OpenSSH settings that are security-related already provide good security, thus changing them is at your own risk and is not documented here. For example, these guidelines assume only SSH protocol 2 is configured in the server, and SSH protocol 1 is disabled. This also assumes that you are keeping OpenSSH up-to-date with security patches.See man sshd_config
, man ssh_config
for more information on specific settings if you nevertheless need to change them. |
Configuration
Different versions of OpenSSH support different options which are not always compatible. This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended.
Modern (OpenSSH 6.7+)
File: /etc/ssh/sshd_config
File: /etc/ssh/moduli
All Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for diffie-hellman-group-exchange-sha256
) as per our Key management Guidelines recommendations. See also man moduli
.
To deactivate short moduli in two commands: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
Intermediate (OpenSSH 5.3)
This is mainly for use by RHEL6, CentOS6, etc. which run older versions of OpenSSH.
File: /etc/ssh/sshd_config
File: /etc/ssh/moduli
All Diffie-Hellman moduli in use should be at least 2048-bit-long. From the structure of moduli
files, this means the fifth field of all lines in this file should be greater than or equal to 2047.
To deactivate weak moduli in two commands: awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp; mv /etc/ssh/moduli.tmp /etc/ssh/moduli
Multi-Factor Authentication (OpenSSH 6.3+)
Recent versions of OpenSSH support MFA (Multi-Factor Authentication). Using MFA is recommended where possible.
It requires additional setup, such as using the OATH Toolkit or DuoSecurity.
ATTENTION In order to allow using one time passwords (OTPs) and any other text input, Keyboard-interactive is enabled in OpenSSH. This MAY allow for password authentication to work. It is therefore very important to check your PAM configuration so that PAM disallow password authentication for OpenSSH.
OpenSSH 6.3+ (default)
File: /etc/ssh/sshd_config
OpenSSH 5.3+ w/ RedHat/CentOS patch (old)
File: /etc/ssh/sshd_config
PAM configuration for use with the OATH Toolkit or DuoSecurity as second authentication factor.
File: /etc/pam.d/sshd
The PAM stack in this scenario executes the following logic (in our example wefollow the flow with pam_duo.so
in use)
- The
pam_sepermit.so
module is called which checks if the user attempting tolog in via SSH is present in the/etc/security/sepermit.conf
.If the user is present in the config file, and the config asserts that the usercan only log in if SELinux is enforcing, and SELinux is not enforcing, thenthe PAM control ofrequired
prevents the user from logging in (though PAMwould continue down the stack). - The
password-auth
include is commented out and skipped - The
/lib64/security/pam_duo.so
module is called and the user is prompted fora duo MFA code.- If the code provided is correct PAM immediately permits the user access anddoesn’t continue executing.
- If the code provided is incorrect, PAM continues down the stack
- The
pam_nologin.so
checks if the file/etc/nologin
exists and if so blocksaccess to the user. - If at the end of the stack, the single
sufficient
control ofpam_duo.so
did not return a success, PAM defaults to deny and denies the login.
Ciphers and algorithms choice
- When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) disclose the packet length - giving some information to the attacker. Only recent OpenSSH servers and client support CHACHA20.
- NIST curves (
ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256
) are listed for compatibility, but the use ofcurve25519
is generally preferred. - SSH protocol 2 supports DH and ECDH key-exchange as well as forward secrecy. Regarding group sizes, please refer to Key management Guidelines.
The various algorithms supported by a particular OpenSSH version can be listed with the following commands:
Configuration
If you have a file containing known_hosts
using RSA or ECDSA host key algorithm and the server now supports ed25519 for example, you will get a warning that the host key has changed and will be unable to connect. This means you will have to verify the new host key.
The following configurations expect a recent OpenSSH client, as updating OpenSSH on the client side is generally not an issue.
Modern
This configuration is less compatible and you may not be able to connect to some servers which use insecure, deprecated algorithms. Nevertheless, modern servers will work just fine.
File: ~/.ssh/config
Intermediate (connects to older servers)
This configuration can connect to older OpenSSH servers which run old or intermediate configurations.
File: ~/.ssh/config
Key generation
Large key sizes are used as SSH keys are not renewed very often (see also Key management Guidelines).
Don’t hesitate to create multiple different keys for different usages. In particular, never mix your personal and Mozilla keys.
You may then want to add the new key to your SSH agent or your configuration file (or both).
Protection of user keys
- Protected by strong passphrase.
- Never copied to another system than your own workstation/personal physical disks/tokens.
- Use SSH forwarding or SSH tunneling if you need to jump between hosts. DO NOT maintain unnecessary agent forwarding when unused.
Protection of machine keys
When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys.
- The recommended settings are identical to the user keys.
- The keys must be accessible only by the admin user (root) and/or the system user requiring access.
- Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure.
- The machine keys should be unique per usage. Each new usage (different service, different script called, etc.) should use a new, different key.
- Only used when strictly necessary.
- Restrict privileges of the account (i.e. no root or “sudoer” machine account).
- Using a ForceCommand returning only the needed results, or only allowing the machine to perform SSH-related tasks such as tunneling is preferred.
- Disable sftp if not needed as it exposes more surface and different logging mechanisms than SSH (and thus scp) itself.
Multi-factor bypass setup for machine keys
Machine keys do not play well with multi-factor authentication as there is no human interaction.
- All logins from machine accounts should be protected by an additional authentication layer (VPN, another machine, etc.).
- All logins from machine accounts are only allowed within the private IP-space, and if possible, only the relevant machine source IPs should be accessible.
File: /etc/ssh/sshd_config
(OpenSSH 6.3+)
File: /etc/ssh/sshd_config
(OpenSSH 5.3+ w/ RedHat/CentOS patch)
Auditing your existing SSH keys
Existing keys are generally stored in ~/.ssh/
(Linux/OSX) or %APPDATA%
(Windows). Look for id_{rsa,ed25519,ecdsa,dsa}, identity, IdentityFile, *.pem
, and other identity
files.
Display SSH keys information
SSH agent forwarding
ATTENTION SSH Agent forwarding exposes your authentication to the server you’re connecting to. By default, an attacker with control of the server (i.e. root access) can communicate with your agent and use your key to authenticate to other servers without any notification (i.e. impersonate you).For this reason, one must be careful when using SSH agent forwarding. Defaulting to always forwarding the agent is strongly discouraged.Note also that while the attacker can use your key as long as the agent is running and forwarded, he cannot steal/download the key for offline/later use.
SSH forwarding allows you to jump between hosts while keeping your private key on your local computer. This is accomplished by telling SSH to forward the authentication requests back to the ssh-agent of your local computer. SSH forwarding works between as many hosts as needed, each host forwarding new authentication request to the previous host, until the ssh-agent that holds the private key is reached.
On each host, two environment variables are declared for the user enabling ssh-agent:
- $SSH_AUTH_SOCK declares the location of the unix socket that can be used to forward an authentication request back to the previous host.(ex:
/tmp/ssh-NjPxtt8779/agent.8779
). Only present if using SSH agent forwarding. - $SSH_CONNECTION shows the source IP and port of the previous host, as well as the local IP and port. (ex:
10.22.248.74 44727 10.8.75.110 22
).
To use ssh-agent, add the flag -A
to your ssh commands:
You can set the following configuration parameter in your local ssh configuration at ~/.ssh/config
.
Hardening the Agent forwarder
It is possible to require confirmation every time the agent is used (i.e. when you connect to a server through the SSH agent) by using the -c
flag:
It is also possible to lock the key in the agent after a configurable amount of time, this can be done either for all keys when starting the agent, or per key when adding the keys to the agent with the -t
flag:
For MacOSX in particular it’s possible to save the passphrase in the Keychain. If you do so it is strongly recommended to also change the keychain setting to lock itself when the computer is locked, and/or to timeout and lock the keychain. These settings are not controlled by OpenSSH.
Recommended, safer alternatives to SSH agent forwarding
OpenSSH >=7.3
OpenSSH 7.3 onwards allow users to jump through several hosts in a rather automated fashion. It has full support for scp and sftp commands as well as regular ssh.
For example to reach a host behind a bastion/jumphost:
You can also add these lines to your ~/.ssh/config
Older versions of OpenSSH
It is possible to directly forward ports for single jumps instead of forwarding the agent. This has the advantage of never exposing your agent to the servers you’re connecting to.
For example, you can add these lines to your ~/.ssh/config
This will automatically forward the SSH connection over ssh.mozilla.com when you connect to a mozilla.com SSH server.
Key material handling
Key material identifies the cryptographic secrets that compose a key. All key material must be treated as MOZILLA CONFIDENTIAL GROUP RESTRICTED data, meaning that:
- Only individual with specific training and need-to-know should have access to key material.
- Key material must be encrypted on transmission.
- Key material can be stored in clear text, but only with proper access control (limited access).
This includes:
- OpenSSH server keys (
/etc/ssh/ssh_host_*key
) - Client keys (
~/.ssh/id_{rsa,dsa,ecdsa,ed25519}
and~/.ssh/identity
or other client key files).
Client key size and login latency
In order to figure out the impact on performance of using larger keys - such as RSA 4096 bytes keys - on the client side, we have run a few tests:
On an idle, i7 4500 intel CPU using OpenSSH_6.7p1, OpenSSL 1.0.1l and ed25519 server keys the following command is ran 10 times:
time ssh localhost -i .ssh/id_thekey exit
Results:
Client key | Minimum | Maximum | Average |
---|---|---|---|
RSA 4096 | 120ms | 145ms | 127ms |
RSA 2048 | 120ms | 129ms | 127ms |
ed25519 | 117ms | 138ms | 120ms |
Keep in mind that these numbers may differ on a slower machine, and that this contains the complete login sequence and therefore is subject to variations. However, it seems safe to say that the latency differences are not significant and do not impact performance sufficiently to cause any concern regardless of the type of key used.
Reference documents
Introduction
One of the biggest and most welcome changes to the Windows 10 1809 update and in Windows Server 2019 was the addition of the OpenSSH Client and OpenSSH Server features. It is now incredibly easy to SSH into a Windows Workstation/Server using native tools that are now builtin to the Operating System. In the past this was only possible by using complicated tools and odd workarounds in order to get an SSH-like implementation to work correctly. You can also use the SSH commands right from the Windows command line (CMD, PowerShell), without needing third-party tools or odd commands. This is a very nice change that Microsoft has added, since it is much easier to remotely manage a Windows through the Command Line instead of the GUI, and having the ability to use the same tools on both Windows and Linux is a big advantage.
Note: I have only tested this on Windows 10 Pro for Workstations (Version 1809 Build 17763.253) and on Windows Server 2019 Standard.
Installation
Installing the OpenSSH Client and OpenSSH Server options can be done through either the Settings app or through the Command Line.
GUI Installation
To install through the GUI, go to Settings -> Apps -> Apps & Features -> Manage optional features -> Add a feature. You should see the two options in the list of available features that can be installed:
OpenSSH Client
OpenSSH Server
Highlight each option and click the Install button to install the feature. If the options are missing, then you are not on the latest version/patch level of Windows 10 or Windows Server 2019. A restart should not be necessary after adding these features, but the newly installed services will need to be started and configured to automatically start at boot.
Command Line Installation
To install through the Command Line, open an elevated PowerShell console in order to proceed. To confirm that you are able to install the OpenSSH Client and OpenSSH Server features, run the following command:
If those two options are present, run the following two commands to install the features:
Like installing through the Settings app, a restart should not be necessary after adding these features. The newly installed services will need to be started and configured to automatically start at boot.
Services Start
In order to start using OpenSSH Server, the associated services will need to be started first. This can be done through either the Services MMC console or through the Command Line.
Services MMC Console
Open the Services MMC Console (Win + R, and type in services.mmc) and find the two Services that are related to OpenSSH Server:
OpenSSH Authentication Agent
OpenSSH Server
Right-click on each service and select Properties. Under Service Status, click the Start button to start the service. To configure the service to start automatically at boot, change the Startup Type drop-down menu to Automatic and click Apply.
Windows Ssh Client Openssh
Command Line Services
To start the OpenSSH Server services and enable them to run automatically, there are a few command that you will need to run. To do this, open an elevated PowerShell console and run the following commands to start the OpenSSH Server:
To have these services start automatically at boot, there are two additional commands to run as well:
After this has been completed, you should be able to connect to your Windows installation over SSH.
Using OpenSSH Client
The OpenSSH Client can be used exactly the same way as you would on any Linux/Unix host. It will work through the regular Command Line and in PowerShell:
Here is the same output from a Linux environment:
I won’t go into the details on how to use any of these advanced options, there are very good tutorials on how to use the OpenSSH Client on other sites. The behaviour of OpenSSH Client on Windows should be almost exactly the same as on a Linux environment. So far I haven’t run into any issues with connectivity.
Connecting to OpenSSH Server
There is nothing special required to connect to a Windows host, it behaves exactly the same way as any other SSH host. There are a few different username formats that you can use:
One of the benefits is the ability to login with a Microsoft account if you are using that as your username. It is a bit unusual to see an email address used this way, but I am glad that Microsoft made sure that this functionality worked correctly:
There is nothing more to OpenSSH Server, you can manage your Windows host from the command line once you are logged in. If you want to do any further customization or need some basic troubleshooting, there is additional information below.
Change the Default Shell
By default when you login to a Windows installation with SSH, it defaults to the regular Command Prompt (cmd.exe). I prefer PowerShell for everyday usage, and it is easy to switch to PowerShell once you login, but you can change the default shell to save yourself some time if you are going to be using this feature often.
This is done through the Registry Editor, which will run with Administrator privileges. You need to navigate to the following key:
Secure Shell Client Download
Create a new string called DefaultShell and give it the following value:
Restart the OpenSSH Server Service and the next time that you login with SSH, you should automatically go to PowerShell. I have tried making this work with Bash, but it doesn’t seem to be supported yet.
If you do want to use Bash, just type in bash.exe to switch to it.
Additional Settings
There are a few customizations that you can do to the OpenSSH Server service if needed. Since this is a port of the OpenSSH Server, the customization is done in a very similar way. To begin, the directory where all of the associated executable files are found is in the C:WindowsSystem32OpenSSH directory:
The other important directory for OpenSSH Server is the C:ProgramDatassh folder, which contains the configuration files and log files.
OpenSSH Server options, such as changing the login banner and locking down security options are done in the C:ProgramDatasshsshd_config file.
Not all options can be used on a Windows host. For more information, you can refer to the official Wiki article on what options are supported:
Troubleshooting
If you need to view the log file for OpenSSH Server, you need to make a quick change to the configuration file (C:ProgramDatasshsshd_config) to enable logging:
Make the following change:
You will need to restart the OpenSSH Server service in order to apply the change. Once the change has been made, the log file (sshd.log) can be found in the C:ProgramDatasshlogs directory.