SSH best practices

The required end-state for any system offering SSH (or other forms of remote login) is to require either two-factor authentication (2FA) or publickey only, particularly if that service is available from off-campus.

2FA or public keys for authentication eliminate popular attacks including brute-force password guessing, credential stuffing, password spraying, and phishing attacks. Allowing public keys also allows researchers to offer services to collaborators without necessarily requiring a Waterloo identity for that collaborator, and so is a reasonable workaround to allowing just plain passwords.

IST also offers a service for systems using SSH keys called AuthMan. Users can upload keys to the service, and systems using it will check there automatically for updated keys.

SSH scanning

Following normal vulnerability management procedures, the Security Operations Centre (SOC) will notify system contacts about observed weaknesses, treating SSHv1 and weak ciphers as "Identified Vulnerability" security incidents. Priority is for systems exposed to the public Internet. Systems allowing password authentication will be similarly flagged.

SSH standards - 2021

Password-based authentication

Servers which allow password-based authentication must not expose an SSH service to the public Internet unless it can be demonstrated that the service requires 2FA. This includes obfuscating the SSH listening port in some way (eg, changing it to 2022).

Cryptographic standards

All servers must conform to minimum cryptographic standards which eliminate weak and null ciphers. The SSHv1 protocol must not be implemented. The Modern configuration from the Mozilla page is sufficient for systems available directly from off campus. Servers only accessible from on campus may implement weaker standards if it is a requirement for applications. Such systems should have restrictive host-based firewalls.

Identifying weak configurations

The Qualys QID for weak ssh configuration is 38739. For SSHv1, it is 38304. The QID to identify authentication methods is 38047.

nmap NSE scripts may also be used to identify weak servers with the ssh2-enum-algos script (run in combination with the -sV flag.) To identify supported authentication methods, use the ssh-auth-methods script.

Reviews