Modern SSH Security: Best Practices

by Jean Pierre LeJacq

OpenSSH is ubiquitous in the open source community for devops and development. It is unfortunately also one of the most common attack vectors. We present modern OpenSSH features for securing connections that are rarely used and poorly understood. We also give guidance on configuring the client and server to enhance the value of these features. We also demonstrate compliance with NIST SSH guidelines. This is the one of the simplest things you can do to secure your infrastructure.

• OpenSSH certificates to simplify credential management.
• Certificates and DNSSEC SSHFP to eliminate man-in-the-middle attacks.
• Matching patterns for enhanced access control.
• Integration of OpenSSH and GnuPG authentication keys.
• Storage of keys on hardware security tokens using GnuPG and the brand new FIDO2 capability.
• Optimal Cryptographic selection including the new quantum computing resistant keys.