mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 01:21:07 +01:00
Created Windows 11 (markdown)
parent
86d0ff158e
commit
93423ca8c5
66
Windows-11.md
Normal file
66
Windows-11.md
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# Configuring OpenSSH in Windows 11
|
||||||
|
|
||||||
|
Windows 11 uses its own OpenSSH implementation based on OpenSSH v8 by default. To ensure optimal security and compatibility, it is recommended to update to the beta implementation of OpenSSH for Windows.
|
||||||
|
|
||||||
|
## Updating OpenSSH
|
||||||
|
|
||||||
|
1. Open a command prompt or PowerShell window.
|
||||||
|
2. Run the following command to install the beta version of OpenSSH:
|
||||||
|
|
||||||
|
```
|
||||||
|
winget install -e --id Microsoft.OpenSSH.Beta
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Verify that your SSH version is greater than 8.X.X by running:
|
||||||
|
|
||||||
|
```
|
||||||
|
ssh -V
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuring OpenSSH Client
|
||||||
|
|
||||||
|
In Windows, the OpenSSH Client (`ssh`) reads configuration data from a configuration file in the following order:
|
||||||
|
|
||||||
|
1. By launching `ssh.exe` with the `-F` parameter, specifying a path to a configuration file and an entry name from that file.
|
||||||
|
2. A user's configuration file at `%userprofile%\.ssh\config`.
|
||||||
|
3. The system-wide configuration file at `%programdata%\ssh\ssh_config`.
|
||||||
|
|
||||||
|
Apply the following configuration either system-wide or user-wide by placing it in the respective file path:
|
||||||
|
|
||||||
|
```
|
||||||
|
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
||||||
|
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
|
||||||
|
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
||||||
|
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
```
|
||||||
|
|
||||||
|
## Hardening the Windows OpenSSH Server
|
||||||
|
|
||||||
|
To harden the Windows OpenSSH Server implementation:
|
||||||
|
|
||||||
|
1. Open `%programdata%\ssh\sshd_config`.
|
||||||
|
2. Uncomment the following lines:
|
||||||
|
|
||||||
|
```
|
||||||
|
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
|
||||||
|
HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Add the following configuration to the same file:
|
||||||
|
|
||||||
|
```
|
||||||
|
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
||||||
|
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
||||||
|
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256
|
||||||
|
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
||||||
|
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
```
|
||||||
|
|
||||||
|
### Optional
|
||||||
|
|
||||||
|
Add `hmac-sha2-256` to the `MACs` configuration. This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.
|
Loading…
Reference in New Issue
Block a user