Forked from T167966
I've been playing with https://github.com/mozilla/ssh_scan on both servers and network devices.
It's possible to use different rules (modern/intermediate) depending on the OpenSSH version. Wich can also be tuned to ignore configuration items we can't do without (eg. keyboard-interactive for 2FA).
More details and guidelines on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
Depending on that it outputs a grade and recommendations.
For network devices, I used mr1-ulsfo as a test host, here is the "before" scan, using the "intermediate" profile:
"compliance": {
"policy": "Mozilla Intermediate",
"compliant": false,
"recommendations": [
"Remove these key exchange algorithms: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1",
"Remove these MAC algorithms: hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, umac-128@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96",
"Remove these encryption ciphers: arcfour256, arcfour128, chacha20-poly1305@openssh.com, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se",
"Remove these authentication methods: password, keyboard-interactive"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
],
"grade": "F"
},And after pushing the following changes:
set system services ssh macs [ hmac-sha2-256 hmac-sha2-512 ] set system services ssh key-exchange [ group-exchange-sha2 ] set system services ssh ciphers [ aes128-ctr aes192-ctr aes256-ctr ] set system services ssh hostkey-algorithm no-ssh-dss
The output of the same scan:
"compliance": {
"policy": "Mozilla Intermediate",
"compliant": false,
"recommendations": [
"Remove these authentication methods: password, keyboard-interactive"
],
"references": [
"https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
],
"grade": "B"
},Creating a custom policy (allowing password and keyboard-interactive, as it's not possible to remove them) returns ""compliant": true, and "grade": "A".
I also confirmed that I can still properly SSH to the device.
You can also compare the output of https://sshcheck.com/server/mr1-ulsfo.wikimedia.org/22 with any other mr* router.
So I suggest we push that change to all the Juniper devices.