added random notes about ssh (open questions inline)
authorAdi Kriegisch <adi@kriegisch.at>
Wed, 18 Sep 2013 13:27:20 +0000 (15:27 +0200)
committerAdi Kriegisch <adi@kriegisch.at>
Wed, 18 Sep 2013 13:27:20 +0000 (15:27 +0200)
unsorted/ssh/Ciphers.txt [new file with mode: 0644]
unsorted/ssh/DebianBanner.txt [new file with mode: 0644]
unsorted/ssh/other_options.txt [new file with mode: 0644]
unsorted/ssh/ssh_version_strings.txt [new file with mode: 0644]

diff --git a/unsorted/ssh/Ciphers.txt b/unsorted/ssh/Ciphers.txt
new file mode 100644 (file)
index 0000000..7455a88
--- /dev/null
@@ -0,0 +1,30 @@
+Debian/OpenSSH6 man page shows the following:
+     Ciphers
+             Specifies the ciphers allowed for protocol version 2.  Multiple ciphers must be
+             comma-separated.  The supported ciphers are “3des-cbc”, “aes128-cbc”, “aes192-cbc”,
+             “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”,
+             “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  The default is:
+
+                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+                aes256-cbc,arcfour
+
+TODO: which of those should be used?
+
+     MACs    Specifies the available MAC (message authentication code) algorithms.  The MAC algo‐
+             rithm is used in protocol version 2 for data integrity protection.  Multiple algo‐
+             rithms must be comma-separated.  The default is:
+
+                   hmac-md5,hmac-sha1,umac-64@openssh.com,
+                   hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+                   hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+                   hmac-sha2-512-96
+
+TODO: which of those should be used?
+
+Regarding compression: the default for compression is "delayed" which means, that compression
+will only kick in after successful authentication (possibilities: yes, no, delayed).
+
+TODO: does this put users at risk? shall compression be disabled alltogether?
+
+
diff --git a/unsorted/ssh/DebianBanner.txt b/unsorted/ssh/DebianBanner.txt
new file mode 100644 (file)
index 0000000..9b187f2
--- /dev/null
@@ -0,0 +1,6 @@
+in Debian/Ubuntu add the following to your /etc/ssh/sshd_config:
+# disable displaying of Debian version
+DebianBanner no
+
+# this disables version strings SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 and uses
+# the default: SSH-2.0-OpenSSH_5.8p1
diff --git a/unsorted/ssh/other_options.txt b/unsorted/ssh/other_options.txt
new file mode 100644 (file)
index 0000000..1646289
--- /dev/null
@@ -0,0 +1,8 @@
+PermitRootLogin shall be disabled (aka 'no') or at least reasonably restricted
+('without-password', 'forced-commands-only').
+
+Possible options:
+ChrootDirectory jails the user into a separate environment
+
+ForceCommand might help (especially with internal-sftp) to further limit possibilities of
+a remote use. rssh might be used as a shell to achieve similar behaviour.
diff --git a/unsorted/ssh/ssh_version_strings.txt b/unsorted/ssh/ssh_version_strings.txt
new file mode 100644 (file)
index 0000000..ff9697b
--- /dev/null
@@ -0,0 +1,49 @@
+taken from http://auntitled.blogspot.co.at/2010/07/identified-ubuntu-version-from-ssh.html and extended:
+
+Debian:
+Debian 4:  SSH-2.0-OpenSSH_4.3p2 Debian-9
+Debian 5:  SSH-2.0-OpenSSH_5.1p1 Debian-5
+Debian 6:  SSH-2.0-OpenSSH_5.5p1 Debian-6
+Debian 7:  SSH-2.0-OpenSSH_6.0p1 Debian-4
+
+Ubuntu:
+Ubuntu 5.10:  SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4
+Ubuntu 6.04:  SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3[.x]
+Ubuntu 7.04:  SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1[.x]
+Ubuntu 7.10:  SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0[.x]
+Ubuntu 8.04:  SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1[.x]
+Ubuntu 8.10:  SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
+Ubuntu 9.04:  SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
+Ubuntu 9.10:  SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
+Ubuntu 10.04: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3
+Ubuntu 10.04.1: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
+Ubuntu 10.04.2: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu{5,6}
+Ubuntu 10.04.3: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
+Ubuntu 10.10: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu{4,5}
+Ubuntu 11.04: SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
+Ubuntu 11.10: SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
+Ubuntu 12.04: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
+
+FreeBSD
+FreeBSD 7.0:  SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
+FreeBSD 7.2:  SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
+FreeBSD 8.0:  SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
+FreeBSD 8.1:  SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
+FreeBSD 9.0:  SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
+
+OpenSUSE
+openSUSE 10.0: SSH-2.0-OpenSSH_5.0
+openSUSE 10.1: SSH-2.0-OpenSSH_5.1
+openSUSE 10.2: SSH-2.0-OpenSSH_5.2
+
+CentOS
+CentOS 4.x:  SSH-2.0-OpenSSH_3.9
+CentOS 5.x:  SSH-2.0-OpenSSH_4.3
+CentOS 6.x:  SSH-2.0-OpenSSH_5.3
+
+Fedora
+Fedora 12:  SSH-2.0-OpenSSH_5.2
+Fedora 13:  SSH-2.0-OpenSSH_5.4
+Fedora 14:  SSH-2.0-OpenSSH_5.5
+Fedora 15:  SSH-2.0-OpenSSH_5.6
+Fedora 16:  SSH-2.0-OpenSSH_5.8