updated kex algorithms to address #3 and #4

k4yt3x · k4yt3x · commit c1e39adf9dd9 · 2020-10-15T12:30:56.000-04:00
diff --git a/README.md b/README.md
@@ -37,3 +37,14 @@ curl -sSL akas.io/sshd -o sshd_config
 ```
 
 It's recommended to use the [ssh-audit](https://github.com/jtesta/ssh-audit) script to check the cryptographic strength of your SSH server after done configuring it.
+
+## Deactivating Short Diffie-Hellman Moduli
+
+Diffie-Hellman moduli used for `diffie-hellman-group-exchange-sha256` should be at lest 3072 bits long according to [Mozilla's OpenSSH server hardening guide](https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67). This can be done with the following commands.
+
+```shell
+# find lines with moduli >= 3071 bits and save them to moduli.tmp
+awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
+# overwrite original moduli file with the updated one
+mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+```
diff --git a/sshd_config b/sshd_config
@@ -1,7 +1,7 @@
 # Name: K4YT3X Hardened OpenSSH Configuration
 # Author: K4YT3X
 # Date Created: October 5, 2020
-# Last Updated: October 10, 2020
+# Last Updated: October 15, 2020
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -98,9 +98,13 @@ PubkeyAuthentication yes
 # explicitly define cryptography algorithms to avoid the use of weak algorithms
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
 
+# short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
+# see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli
+#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
 ########## Connection Preferences ##########
 
 # number of client alive messages sent without client responding
