Skip to content

JuliusBairaktaris/Harden-Windows-SSH

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

Images

Images

 
 

ConfigureOpenSSH.ps1

ConfigureOpenSSH.ps1

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Harden-Windows-SSH

This repository provides a PowerShell script to harden the OpenSSH Server configuration on Windows, making it more secure and resistant to known vulnerabilities like the Terrapin attack (CVE-2023-48795). The hardening measures are based on recommendations from SSH-Audit.

Applied configuration

KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

MACs [email protected],[email protected],[email protected]

HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256

CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256

HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256

PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256

Install latest OpenSSH version for Windows

It is strongly recommended to upgrade to the beta version of the OpenSSH implementation for Windows using winget, which patches the Terrapin vulnerability (CVE-2023-48795).

winget install -e --id Microsoft.OpenSSH.Beta

To test which OpenSSH version you are currently running, run in a terminal:

ssh -V

How to harden the OpenSSH implementation

Execute:

irm 'https://raw.githubusercontent.com/JuliusBairaktaris/Harden-Windows-SSH/main/ConfigureOpenSSH.ps1' | iex

In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order:

  1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
  2. A user's configuration file at %userprofile%.ssh\config.
  3. The system-wide configuration file at %programdata%\ssh\ssh_config.

Optional overrides

  • hmac-sha2-256: This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.

Security Scores using SSH-Audit

Default OpenSSH v8.X Configuration: Default Windows OpenSSH v8 Client Score

Hardened OpenSSH v8.X Client Configuration: Hardend Windows OpenSSH v8 Client Score

Default OpenSSH v8.X Server Configuration: Default Windows OpenSSH v8 Server Score

Hardened OpenSSH v8.X Server Configuration: Hardend Windows OpenSSH v8 Server Score

Further hardening recommendations

To further secure Windows, check out the great Harden-Windows-Security module by HotCakeX.

About

Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security

Topics

windows ssh encryption ssh-server ssh-client harden enterprise-security windows11 operation-system-security 1st-party-security

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages