Skip to content
/ Harden-Windows-SSH Public

Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security

License

MIT license
9 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

JuliusBairaktaris/Harden-Windows-SSH

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
Images
Images
 
 
ConfigureOpenSSH.ps1
ConfigureOpenSSH.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Harden-Windows-SSH

This repository provides a PowerShell script to harden the OpenSSH Server configuration on Windows, making it more secure and resistant to known vulnerabilities like the Terrapin attack (CVE-2023-48795). The hardening measures are based on recommendations from SSH-Audit.

Applied configuration

KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

Install latest OpenSSH version for Windows

It is strongly recommended to upgrade to the beta version of the OpenSSH implementation for Windows using winget, which patches the Terrapin vulnerability (CVE-2023-48795).

winget install -e --id Microsoft.OpenSSH.Beta

To test which OpenSSH version you are currently running, run in a terminal:

ssh -V

How to harden the OpenSSH implementation

Execute:

irm 'https://raw.githubusercontent.com/JuliusBairaktaris/Harden-Windows-SSH/main/ConfigureOpenSSH.ps1' | iex

In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:

  1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
  2. A user's configuration file at %userprofile%.ssh\config.
  3. The system-wide configuration file at %programdata%\ssh\ssh_config.

Optional overrides

  • hmac-sha2-256: This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.

Security Scores using SSH-Audit

Default OpenSSH v8.X Configuration: Default Windows OpenSSH v8 Client Score

Hardened OpenSSH v8.X Client Configuration: Hardend Windows OpenSSH v8 Client Score

Default OpenSSH v8.X Server Configuration: Default Windows OpenSSH v8 Server Score

Hardened OpenSSH v8.X Server Configuration: Hardend Windows OpenSSH v8 Server Score

Further hardening recommendations

To further secure Windows, check out the great Harden-Windows-Security module by HotCakeX.

About

Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security

Topics

windows ssh encryption ssh-server ssh-client harden enterprise-security windows11 operation-system-security 1st-party-security

Resources

Readme

License

MIT license
Activity

Stars

9 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages