From 93423ca8c5030a552b6a0c3ad40aa07589edcb1a Mon Sep 17 00:00:00 2001 From: Julius Bairaktaris <33199500+JuliusBairaktaris@users.noreply.github.com> Date: Thu, 11 Apr 2024 14:22:33 +0000 Subject: [PATCH] Created Windows 11 (markdown) --- Windows-11.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 Windows-11.md diff --git a/Windows-11.md b/Windows-11.md new file mode 100644 index 0000000..98d793e --- /dev/null +++ b/Windows-11.md @@ -0,0 +1,66 @@ +# Configuring OpenSSH in Windows 11 + +Windows 11 uses its own OpenSSH implementation based on OpenSSH v8 by default. To ensure optimal security and compatibility, it is recommended to update to the beta implementation of OpenSSH for Windows. + +## Updating OpenSSH + +1. Open a command prompt or PowerShell window. +2. Run the following command to install the beta version of OpenSSH: + + ``` + winget install -e --id Microsoft.OpenSSH.Beta + ``` + +3. Verify that your SSH version is greater than 8.X.X by running: + + ``` + ssh -V + ``` + +## Configuring OpenSSH Client + +In Windows, the OpenSSH Client (`ssh`) reads configuration data from a configuration file in the following order: + +1. By launching `ssh.exe` with the `-F` parameter, specifying a path to a configuration file and an entry name from that file. +2. A user's configuration file at `%userprofile%\.ssh\config`. +3. The system-wide configuration file at `%programdata%\ssh\ssh_config`. + +Apply the following configuration either system-wide or user-wide by placing it in the respective file path: + +``` +KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com +HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256 +CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 +HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 +PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 +``` + +## Hardening the Windows OpenSSH Server + +To harden the Windows OpenSSH Server implementation: + +1. Open `%programdata%\ssh\sshd_config`. +2. Uncomment the following lines: + + ``` + HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key + HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key + ``` + +3. Add the following configuration to the same file: + + ``` + KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 + Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256 + CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + ``` + +### Optional + +Add `hmac-sha2-256` to the `MACs` configuration. This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems. \ No newline at end of file