@networkpro/blog 0.1.6 → 1.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@networkpro/blog",
-  "version": "0.1.6",
+  "version": "1.0.0",
   "description": "The official blog of Network Pro Strategies (Network Pro).",
   "keywords": [
     "security",
@@ -14,7 +14,7 @@
     "blog",
     "netwk-pro"
   ],
-  "homepage": "https://github.com/netwk-pro/blog#readme",
+  "homepage": "https://blog.netwk.pro",
   "bugs": {
     "url": "https://github.com/netwk-pro/netwk-pro.github.io/issues"
   },
@@ -40,8 +40,8 @@
     "format:fix": "prettier --write .",
     "lint": "eslint --ext .mjs,.js,.json,.jsonc --config eslint.config.mjs .",
     "lint:fix": "eslint --ext .mjs,.js,.json,.jsonc --config eslint.config.mjs . --fix",
-    "lint:md": "npx markdownlint-cli2 \"**/*.{md,markdown}\" \"#node_modules/**\" \"#public/**\"",
-    "lint:css": "stylelint '**/*.{css}' --ignore-path .stylelintignore",
+    "lint:md": "npx markdownlint-cli2 \"**/*.{md,markdown}\" \"#node_modules/**\" \"#build/**\"",
+    "lint:css": "npx stylelint \"docs_raw/styles/*.css\" --ignore-path .stylelintignore",
     "lint:all": "npm run lint && npm run lint:md && npm run lint:css && npm run format",
     "checkout": "npm run test && npm run lint:all"
   },

package/search/search_index.json

@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Blog Home","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p>","tags":["index","network-pro","blog"]},{"location":"#blog-home","title":"Blog Home","text":"","tags":["index","network-pro","blog"]},{"location":"ATTRIBUTION/","title":"ATTRIBUTION","text":"<p>Copyright (c) 2016-2023 Martin Donath martin.donath@squidfunk.com Alex Voss alex@corealisation.com</p> <p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p> <p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p> <p>THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>"},{"location":"CONDUCT/","title":"Contributing","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p> <p></p>"},{"location":"CONDUCT/#contributor-covenant-code-of-conduct","title":"Contributor Covenant Code of Conduct","text":"<p>Network Pro Strategies Effective Date: 3/21/2025</p>"},{"location":"CONDUCT/#contents","title":"Contents","text":"<ul> <li>Our Pledge</li> <li>Our Standards</li> <li>Responsibilities</li> <li>Scope</li> <li>Enforcement</li> <li>Attribution</li> </ul>"},{"location":"CONDUCT/#our-pledge","title":"Our Pledge","text":"<p>We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.</p> <p>We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.</p> <p><sub>Back to top</sub></p> <p></p>"},{"location":"CONDUCT/#our-standards","title":"Our Standards","text":"<p>Examples of behavior that contributes to a positive environment for our community include:</p> <ul> <li>Demonstrating empathy and kindness toward other people</li> <li>Being respectful of differing opinions, viewpoints, and experiences</li> <li>Giving and gracefully accepting constructive feedback</li> <li>Accepting responsibility and apologizing to those affected by our mistakes,   and learning from the experience</li> <li>Focusing on what is best not just for us as individuals, but for the overall   community</li> </ul> <p>Examples of unacceptable behavior include:</p> <ul> <li>The use of sexualized language or imagery, and sexual attention or advances of   any kind</li> <li>Trolling, insulting or derogatory comments, and personal or political attacks</li> <li>Public or private harassment</li> <li>Publishing others' private information, such as a physical or email address,   without their explicit permission</li> <li>Other conduct which could reasonably be considered inappropriate in a   professional setting</li> </ul> <p><sub>Back to top</sub></p> <p></p>"},{"location":"CONDUCT/#responsibilities","title":"Responsibilities","text":"<p>Company and community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.</p> <p>Company and community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.</p> <p>Network Pro Strategies reserves the right, at its sole discretion, to remove, edit, or reject any contributions that are contrary to or detrimental to its business interests.</p> <p><sub>Back to top</sub></p> <p></p>"},{"location":"CONDUCT/#scope","title":"Scope","text":"<p>This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the company or community in public spaces. Examples of representing our company or community include using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.</p> <p><sub>Back to top</sub></p> <p></p>"},{"location":"CONDUCT/#enforcement","title":"Enforcement","text":"<p>Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the abuse team at abuse@neteng.pro. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.</p> <p>The abuse team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.</p> <p>Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project\u2019s leadership.</p> <p><sub>Back to top</sub></p> <p></p>"},{"location":"CONDUCT/#attribution","title":"Attribution","text":"<p>This Code of Conduct is adapted from the Contributor Covenant, version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.</p> <p>The Enforcement section is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct/.</p> <p>For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.</p> <p><sub>Back to top</sub></p> <p> <p>Home \u00a0 | \u00a0 Terms of Use Privacy Policy \u00a0 | \u00a0 Legal</p> <p></p> <p> </p> <p> <p>Copyright \u00a9 2025 Network Pro Strategies (Network Pro\u2122)</p> <p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p> <p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p> <p></p>"},{"location":"tags/","title":"Tags","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p>"},{"location":"tags/#tag-index","title":"Tag Index","text":""},{"location":"tags/#tag:blog","title":"blog","text":"<ul> <li>            Blog Home          </li> <li>            Our Blog is Live!          </li> </ul>"},{"location":"tags/#tag:index","title":"index","text":"<ul> <li>            Blog Home          </li> </ul>"},{"location":"tags/#tag:network-pro","title":"network-pro","text":"<ul> <li>            Blog Home          </li> <li>            Our Blog is Live!          </li> </ul>"},{"location":"tags/#tag:post","title":"post","text":"<ul> <li>            Secure Secure Shell          </li> </ul>"},{"location":"tags/#tag:security","title":"security","text":"<ul> <li>            Secure Secure Shell          </li> </ul> <p>This page lists all of the tags used in the documentation. Click on a tag to see all the related pages.</p>"},{"location":"author/team/","title":"Network Pro Strategies","text":"<p>Network Pro\u2122 is a remote-first consultancy specializing in network hardening, firewall architecture, cloud security, and secure infrastructure design. We help organizations reduce risk and strengthen their security posture through practical, privacy-aware solutions\u2014offering both short-term support and strategic, long-term partnerships.</p> <p>Below are some of the articles we've published recently:</p>"},{"location":"2025/04/30/our-blog-is-live/","title":"We're Live","text":"","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#welcome-to-the-network-protm-blog-cybersecurity-privacy-open-knowledge","title":"\ud83d\udee1\ufe0f Welcome to the Network Pro\u2122 Blog: Cybersecurity. Privacy. Open Knowledge","text":"<p>In a digital world where threats are persistent and privacy is too often an afterthought, Network Pro Strategies was founded on a belief that effective security doesn't require compromise. We specialize in helping organizations and individuals navigate today\u2019s cybersecurity challenges with confidence, clarity, and control.</p> <p>Today marks the launch of our official blog\u2014your go-to destination for field-tested strategies, implementation insights, and transparent thought leadership across cybersecurity, network defense, and privacy-aware infrastructure.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#why-this-blog-exists","title":"\ud83d\udce1 Why This Blog Exists","text":"<p>Modern security isn\u2019t just about technology\u2014it\u2019s about trust, autonomy, and informed choices. As threats evolve and surveillance becomes normalized, we believe clients deserve more than marketing fluff and opaque solutions.</p> <p>This blog represents our commitment to providing value through:</p> <ul> <li>\ud83d\udcbc SMBs and enterprises needing tailored, scalable security that protects business continuity</li> <li>\ud83c\udfdb\ufe0f Government and compliance-sensitive sectors where resilience and data integrity are mission-critical</li> <li>\ud83d\udc68\u200d\ud83d\udcbb Technologists and privacy-conscious communities seeking reliable strategies and tools that don\u2019t trade transparency for control</li> </ul>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#what-youll-find-here","title":"\ud83d\udcec What You\u2019ll Find Here","text":"<p>You won\u2019t find empty buzzwords or vendor lock-in here. This space is practical, accessible, and real. Expect content grounded in hands-on consulting experience, addressing real-world needs like:</p> <ul> <li>\ud83d\udd10 Guides on securing infrastructure through Zero Trust principles, secure network design, segmentation, and data governance</li> <li>\ud83c\udf10 Exploration of free and open source tools that align with professional-grade expectations for security and usability</li> <li>\ud83d\udcf1 Best practices for mobile and endpoint hardening, including private-by-design communications and de-Googled Android stacks</li> <li>\u2699\ufe0f Scalable implementation tips for building resilient, ethical, and vendor-neutral technology environments</li> </ul> <p>We\u2019ll also publish tutorials, deep dives, and threat-focused analyses to help you anticipate risk, strengthen defenses, and stay informed\u2014no jargon, no gatekeeping.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#our-vision-security-that-respects-you","title":"\u2705 Our Vision: Security That Respects You","text":"<p>At Network Pro\u2122, we believe security should be transparent, adaptable, and aligned with your goals. While we advocate for privacy-first solutions and actively support open technologies, we apply them with discretion\u2014not dogma. Our priority is delivering reliable, resilient results, whether through open source tools or vetted proprietary platforms.</p> <p>We serve as trusted advisors for navigating today\u2019s threat landscape\u2014delivering infrastructure consulting, cloud and hybrid architecture support, and technical guidance rooted in industry experience. Our approach is practical, flexible, and future-focused, designed to protect what matters most without sacrificing visibility or control.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#ready-to-build-a-safer-smarter-digital-future","title":"\ud83d\udd10 Ready to Build a Safer, Smarter Digital Future?","text":"<p>Cybersecurity isn\u2019t just a product\u2014it\u2019s a process. Whether you're designing secure networks, navigating digital privacy concerns, or evaluating new tools, Network Pro\u2122 is here to support your mission.</p> <p>Let\u2019s build something secure, sustainable, and respectful of your values.</p> <p>\ud83d\udce9 Contact us today to get started.</p> <p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p> <p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p>","tags":["network-pro","blog"]},{"location":"2015/01/04/secure-secure-shell/","title":"Secure Secure Shell","text":"Originally published on 1/4/2015 by stribika at: https://blog.stribik.technology/2015/01/04/secure-secure-shell.html  Mirrored to preserve information. Minor changes have been made, and this is noted where applicable. Also see: https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices  \ud83d\udcdd NOTE: Despite this article's age, we've yet to come across a better source of information with regard to SSH configuration.  <ul> <li>Skip to the good part.</li> </ul> <p>You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.</p> <p>TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use.</p> <p>Warning: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.7 and connections to Github. Here is a good compatibility matrix.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#the-crypto","title":"The crypto","text":"<p>Reading the documents, I have the feeling that the NSA can 1) decrypt weak crypto and 2) steal keys. Let's focus on the crypto first. SSH supports different key exchange algorithms, ciphers and message authentication codes. The server and the client choose a set of algorithms supported by both, then proceed with the key exchange. Some of the supported algorithms are not so great and should be disabled completely. This hurts interoperability but everyone uses OpenSSH anyway. Fortunately, downgrade attacks are not possible because the supported algorithm lists are included in the key derivation. If a man in the middle were to change the lists, then the server and the client would calculate different keys.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#key-exchange","title":"Key exchange","text":"<p>There are basically two ways to do key exchange: Diffie-Hellman and Elliptic Curve Diffie-Hellman. Both provide forward secrecy which the NSA hates because they can't use passive collection and key recovery later. The server and the client will end up with a shared secret number at the end without a passive eavesdropper learning anything about this number. After we have a shared secret we have to derive a cryptographic key from this using a key derivation function. In case of SSH, this is a hash function. Collision attacks on this hash function have been proven to allow downgrade attacks.</p> <p>DH works with a multiplicative group of integers modulo a prime. Its security is based on the hardness of the discrete logarithm problem.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#alice-bob","title":"<pre><code>Alice Bob\n<p>Sa = random\nPa = g^Sa --&gt; Pa\nSb = random\nPb &lt;-- Pb = g^Sb\ns = Pb^Sa s = Pa^Sb\nk = KDF(s) k = KDF(s)</p>\n<p>ECDH works with elliptic curves over finite fields.\nIts security is based on the hardness of the elliptic curve discrete logarithm problem.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#alice-bob_1","title":"<pre><code>Alice Bob\n<p>Sa = random\nPa = Sa G --&gt; Pa\nSb = random\nPb &lt;-- Pb = Sb G\ns = Sa Pb s = Sb Pa\nk = KDF(s) k = KDF(s)</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#sshd-configuration","title":"SSHD Configuration\n\n<p>NOTE: Emphasis added, it was not present in the originally published article.\nKey exchange 1 (curve25519-sha256) alone is ideal, 8 is also acceptable for interoperability.</p>\n\n<p>OpenSSH supports 11 key exchange protocols:</p>\n<ol>\n<li>curve25519-sha256: ECDH over Curve25519 with SHA2</li>\n<li>diffie-hellman-group1-sha1: 1024 bit DH with SHA1</li>\n<li>diffie-hellman-group14-sha1: 2048 bit DH with SHA1</li>\n<li>diffie-hellman-group14-sha256: 2048 bit DH with SHA2</li>\n<li>diffie-hellman-group16-sha512: 4096 bit DH with SHA2</li>\n<li>diffie-hellman-group18-sha512: 8192 bit DH with SHA2</li>\n<li>diffie-hellman-group-exchange-sha1: Custom DH with SHA1</li>\n<li>diffie-hellman-group-exchange-sha256: Custom DH with SHA2</li>\n<li>ecdh-sha2-nistp256: ECDH over NIST P-256 with SHA2</li>\n<li>ecdh-sha2-nistp384: ECDH over NIST P-384 with SHA2</li>\n<li>ecdh-sha2-nistp521: ECDH over NIST P-521 with SHA2</li>\n</ol>\n<p>We have to look at 3 things here:</p>\n<ul>\n<li>ECDH curve choice:\n  This eliminates 9-11 because NIST curves suck.\n  They leak secrets through timing side channels and off-curve inputs.\n  Also, NIST is considered harmful and cannot be trusted.</li>\n<li>Bit size of the DH modulus:\n  This eliminates 2 because the NSA has supercomputers and possibly unknown attacks.\n  1024 bits simply don't offer sufficient security margin.</li>\n<li>Security of the hash function:\n  This eliminates 2, 3, and 7 because SHA1 is broken.\n  We don't have to wait for a second preimage attack that takes 10 minutes on a cellphone to disable it right now.</li>\n</ul>\n<p>We are left with 1 and 8, as well as 4-6 which were added in OpenSSH 7.3.\n1 is better and it's perfectly OK to only support that but for interoperability (with Eclipse, WinSCP), 8 can be included.</p>\n\n<p>NOTE: 8 should no longer be necessary in newer versions of WinSCP. If in doubt, test with only 1 first. Add 8 if it won't connect otherwise.</p>\n\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code># Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.\n#Host github.com\n#    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1\n\nHost *\n    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\n\n<p>NOTE: GitHub should no longer need a separate setting, as they've transitioned away from SSH keys. They should not require an exception regardless.</p>\n\n<p>If you chose to enable 8, open <code>/etc/ssh/moduli</code> if exists, and delete lines where the 5th column is less than 2000.</p>\n<pre><code>awk '$5 &gt; 2000' /etc/ssh/moduli &gt; \"${HOME}/moduli\"\nwc -l \"${HOME}/moduli\" # make sure there is something left\nmv \"${HOME}/moduli\" /etc/ssh/moduli</code></pre>\n\n<p>If it does not exist, create it:</p>\n<pre><code>ssh-keygen -G /etc/ssh/moduli.all -b 4096\nssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all\nmv /etc/ssh/moduli.safe /etc/ssh/moduli\nrm /etc/ssh/moduli.all</code></pre>\n\n<p>This will take a while so continue while it's running.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#authentication","title":"Authentication\n<p>The key exchange ensures that the server and the client shares a secret no one else knows.\nWe also have to make sure that they share this secret with each other and not an NSA analyst.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#server-authentication","title":"Server authentication","text":"<p>The server proves its identity to the client by signing the key resulting from the key exchange.\nThere are 4 public key algorithms for authentication:</p>\n<ol>\n<li>DSA with SHA1</li>\n<li>ECDSA with SHA256, SHA384 or SHA512 depending on key size</li>\n<li>Ed25519 with SHA512</li>\n<li>RSA with SHA1</li>\n</ol>\n<p>DSA keys must be exactly 1024 bits so let's disable that.\nNumber 2 here involves NIST suckage and should be disabled as well.\nAnother important disadvantage of DSA and ECDSA is that it uses randomness for each signature.\nIf the random numbers are not the best quality, then it is possible to recover the secret key.\nFortunately, RSA using SHA1 is not a problem here because the value being signed is actually a SHA2 hash.\nThe hash function SHA1(SHA2(x)) is just as secure as SHA2 (it has less bits of course but no better attacks).</p>\n<pre><code>Protocol 2\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key</code></pre>\n\n<p>The first time you connect to your server, you will be asked to accept the new fingerprint.</p>\n<p>This will also disable the horribly broken v1 protocol that you should not have enabled in the first place.\nWe should remove the unused keys and only generate a large RSA key and an Ed25519 key.\nYour init scripts may recreate the unused keys.\nIf you don't want that, remove any <code>ssh-keygen</code> commands from the init script.</p>\n<pre><code>cd /etc/ssh\nrm ssh_host_*key*\nssh-keygen -t ed25519 -f ssh_host_ed25519_key -N \"\" &lt; /dev/null\nssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N \"\" &lt; /dev/null</code></pre>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#client-authentication","title":"Client authentication","text":"<p>The client must prove its identity to the server as well.\nThere are various methods to do that.</p>\n<p>The simplest is password authentication.\nThis should be disabled immediately after setting up a more secure method because it allows compromised servers to steal passwords.\nPassword authentication is also more vulnerable to online bruteforce attacks.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>PasswordAuthentication no\nChallengeResponseAuthentication no</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    PasswordAuthentication no\n    ChallengeResponseAuthentication no</code></pre>\n\n<p>The most common and secure method is public key authentication, basically the same process as the server authentication.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>PubkeyAuthentication yes</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    PubkeyAuthentication yes\n    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa</code></pre>\n\n<p>Generate client keys using the following commands:</p>\n<pre><code>ssh-keygen -t ed25519 -o -a 100\nssh-keygen -t rsa -b 4096 -o -a 100</code></pre>\n\n<p>You can deploy your new client public keys using <code>ssh-copy-id</code>.</p>\n<p>It is also possible to use OTP authentication to reduce the consequences of lost passwords.\nGoogle Authenticator is a nice implementation of TOTP, or Timebased One Time Password.\nYou can also use a printed list of one time passwords or any other PAM module, really, if you enable <code>ChallengeResponseAuthentication</code>.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#user-authentication","title":"User Authentication","text":"<p>Even with Public Key authentication, you should only allow incoming connections from expected users. The <code>AllowUsers</code> setting in <code>sshd_config</code> lets you specify users who are allowed to connect, but this can get complicated with a large number of ssh users. Additionally, when deleting a user from the system, the username is not removed from <code>sshd_config</code>, which adds to maintenance requirements. The solution is to use the <code>AllowGroups</code> setting instead, and add users to an <code>ssh-user</code> group.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>AllowGroups ssh-user</code></pre>\n\n<p>Create the ssh-user group with <code>sudo groupadd ssh-user</code>, then add each ssh user to the group with <code>sudo usermod -a -G ssh-user &lt;username&gt;</code>.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#symmetric-ciphers","title":"Symmetric ciphers\n\n<p>NOTE: Emphasis added.</p>\n\n<p>Symmetric ciphers are used to encrypt the data after the initial key exchange and authentication is complete.</p>\n<p>Here we have quite a few algorithms (10-14 were removed in OpenSSH 7.6):</p>\n<ol>\n<li>3des-cbc</li>\n<li>aes128-cbc</li>\n<li>aes192-cbc</li>\n<li>aes256-cbc</li>\n<li>aes128-ctr</li>\n<li>aes192-ctr</li>\n<li>aes256-ctr</li>\n<li>aes128-gcm@openssh.com</li>\n<li>aes256-gcm@openssh.com</li>\n<li>arcfour</li>\n<li>arcfour128</li>\n<li>arcfour256</li>\n<li>blowfish-cbc</li>\n<li>cast128-cbc</li>\n<li>chacha20-poly1305@openssh.com</li>\n</ol>\n<p>We have to consider the following:</p>\n<ul>\n<li>Security of the cipher algorithm:\n  This eliminates 1 and 10-12 - both DES and RC4 are broken.\n  Again, no need to wait for them to become even weaker, disable them now.</li>\n<li>Key size:\n  At least 128 bits, the more the better.</li>\n<li>Block size:\n  Does not apply to stream ciphers.\n  At least 128 bits.\n  This eliminates 13 and 14 because those have a 64 bit block size.</li>\n<li>Cipher mode:\n  The recommended approach here is to prefer AE modes and optionally allow CTR for compatibility.\n  CTR with Encrypt-then-MAC is provably secure.</li>\n</ul>\n<p>Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does not encrypt message sizes when GCM (or EtM) is in use.\nThis allows some traffic analysis even without decrypting the data.\nWe will deal with that soon.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#message-authentication-codes","title":"Message authentication codes\n\n<p>Emphasis added.</p>\n\n<p>Encryption provides confidentiality, message authentication code provides integrity.\nWe need both.\nIf an AE cipher mode is selected, then extra MACs are not used, the integrity is already given.\nIf CTR is selected, then we need a MAC to calculate and attach a tag to every message.</p>\n<p>There are multiple ways to combine ciphers and MACs - not all of these are useful.\nThe 3 most common:</p>\n<ul>\n<li>Encrypt-then-MAC: encrypt the message, then attach the MAC of the ciphertext.</li>\n<li>MAC-then-encrypt: attach the MAC of the plaintext, then encrypt everything.</li>\n<li>Encrypt-and-MAC: encrypt the message, then attach the MAC of the plaintext.</li>\n</ul>\n<p>Only Encrypt-then-MAC should be used, period.\nUsing MAC-then-encrypt have lead to many attacks on TLS while Encrypt-and-MAC have lead to not quite that many attacks on SSH.\nThe reason for this is that the more you fiddle with an attacker provided message, the more chance the attacker has to gain information through side channels.\nIn case of Encrypt-then-MAC, the MAC is verified and if incorrect, discarded.\nBoom, one step, no timing channels.\nIn case of MAC-then-encrypt, first the attacker provided message has to be decrypted and only then can you verify it.\nDecryption failure (due to invalid CBC padding for example) may take less time than verification failure.\nEncrypt-and-MAC also has to be decrypted first, leading to the same kind of potential side channels.\nIt's even worse because no one said that a MAC's output can't leak what its input was.\nSSH by default, uses this method.</p>\n<p>Here are the available MAC choices:</p>\n<ol>\n<li>hmac-md5</li>\n<li>hmac-md5-96</li>\n<li>hmac-sha1</li>\n<li>hmac-sha1-96</li>\n<li>hmac-sha2-256</li>\n<li>hmac-sha2-512</li>\n<li>umac-64</li>\n<li>umac-128</li>\n<li>hmac-md5-etm@openssh.com</li>\n<li>hmac-md5-96-etm@openssh.com</li>\n<li>hmac-sha1-etm@openssh.com</li>\n<li>hmac-sha1-96-etm@openssh.com</li>\n<li>hmac-sha2-256-etm@openssh.com</li>\n<li>hmac-sha2-512-etm@openssh.com</li>\n<li>umac-64-etm@openssh.com</li>\n<li>umac-128-etm@openssh.com</li>\n</ol>\n<p>The selection considerations:</p>\n<ul>\n<li>Security of the hash algorithm:\n  No MD5 and SHA1.\n  Yes, I know that HMAC-SHA1 does not need collision resistance but why wait?\n  Disable weak crypto today.</li>\n<li>Encrypt-then-MAC:\n  I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail.\n  Since there are no downgrade attacks, you can add them to the end of the list.\n  You can also do this on a host by host basis so you know which ones are less safe.</li>\n<li>Tag size:\n  At least 128 bits.\n  This eliminates umac-64-etm.</li>\n<li>Key size:\n  At least 128 bits.\n  This doesn't eliminate anything at this point.</li>\n</ul>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#preventing-key-theft","title":"Preventing key theft","text":"<p>Even with forward secrecy the secret keys must be kept secret.\nThe NSA has a database of stolen keys - you do not want your key there.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#system-hardening","title":"System hardening\n<p>OpenSSH has some undocumented, and rarely used features.\nUseRoaming is one such feature with a known vulnerability.</p>\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n   UseRoaming no</code></pre>\n\n<p>This post is not intended to be a comprehensive system security guide.\nVery briefly:</p>\n<ul>\n<li>Don't install what you don't need:\n  Every single line of code has a chance of containing a bug.\n  Some of these bugs are security holes.\n  Fewer lines, fewer holes.</li>\n<li>Use free software:\n  As in speech.\n  You want to use code that's actually reviewed or that you can review yourself.\n  There is no way to achieve that without source code.\n  Someone may have reviewed proprietary crap but who knows.</li>\n<li>Keep your software up to date:\n  New versions often fix critical security holes.</li>\n<li>Exploit mitigation:\n  Sad but true - there will always be security holes in your software.\n  There are things you can do to prevent their exploitation, such as GCC's -fstack-protector.\n  One of the best security projects out there is Grsecurity.\n  Use it or use OpenBSD.</li>\n</ul>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#traffic-analysis-resistance","title":"Traffic analysis resistance\n<p>Set up Tor hidden services for your SSH servers.\nThis has multiple advantages.\nIt provides an additional layer of encryption and server authentication.\nPeople looking at your traffic will not know your IP, so they will be unable to scan and target other services running on the same server and client.\nAttackers can still attack these services but don't know if it has anything to do with the observed traffic until they actually break in.</p>\n<p>Now this is only true if you don't disclose your SSH server's fingerprint in any other way.\nYou should only accept connections from the hidden service or from LAN, if required.</p>\n<p>If you don't need LAN access, you can add the following line to <code>/etc/ssh/sshd_config</code>:</p>\n<pre><code>ListenAddress 127.0.0.1:22</code></pre>\n\n<p>Add this to <code>/etc/tor/torrc</code>:</p>\n<pre><code>HiddenServiceDir /var/lib/tor/hidden_service/ssh\nHiddenServicePort 22 127.0.0.1:22</code></pre>\n\n<p>You will find the hostname you have to use in <code>/var/lib/tor/hidden_service/ssh/hostname</code>.\nYou also have to configure the client to use Tor.\nFor this, socat will be needed.\nAdd the following line to <code>/etc/ssh/ssh_config</code>:</p>\n<pre><code>Host *.onion\n    ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050\n\nHost *\n    ...</code></pre>\n\n<p>If you want to allow connections from LAN, don't use the <code>ListenAddress</code> line, configure your firewall instead.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#key-storage","title":"Key storage\n<p>You should encrypt your client key files using a strong password.\nAdditionally, you can use <code>ssh-keygen -o -a $number</code> to slow down cracking attempts by iterating the hash function many times.\nYou may want to store them on a pendrive and only plug it in when you want to use SSH.\nAre you more likely to lose your pendrive or have your system compromised?\nI don't know.</p>\n<p>Unfortunately, you can't encrypt your server key and it must be always available, or else sshd won't start.\nThe only thing protecting it is OS access controls.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#the-end","title":"The end","text":"<p>It's probably a good idea to test the changes.\n<code>ssh -v</code> will print the selected algorithms and also makes problems easier to spot.\nBe extremely careful when configuring SSH on a remote host.\nAlways keep an active session, never restart sshd.\nInstead you can send the <code>SIGHUP</code> signal to reload the configuration without killing your session.\nYou can be even more careful by starting a new sshd instance on a different port and testing that.</p>\n<p>Can you make these changes?\nIf the answer is yes, then...</p>\n<p></p>\n<p>If the answer is no, it's probably due to compatibility problems.\nYou can try to convince the other side to upgrade their security and turn it into a yes.\nI have created a wiki page where anyone can add config files for preserving compatibility with various SSH implementations and SSH based services.</p>\n<p>If you work for a big company and change management doesn't let you do it, I'm sorry.\nI've seen the v1 protocol enabled in such places.\nThere is no chance of improvement.\nGive up to preseve your sanity.</p>\n<p>Special thanks to the people of Twitter for the improvements.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#changelog","title":"ChangeLog","text":"<p>You may have noticed that this document changed since last time.\nI want to be very transparent about this.\nThere were three major changes:</p>\n<ul>\n<li>After some debate and going back and forth between including GCM or not, it's now back again.\n  The reason for dropping it was that SSH doesn't encrypt packet sizes when using GCM.\n  The reason for bringing it back is that SSH does the same with any EtM algorithms.\n  There is no way around this unless you can live with chacha20-poly1305 only.\n  Also, the leaked documents don't sound like they can figure out the lengths or confirm presence of some things, more like straight up \"send it to us and we'll decrypt it for you\".\n  Wrapping SSH in a Tor hidden service will take care of any traffic analysis concerns.</li>\n<li>I'm now allowing Encrypt-and-MAC algorithms with CTR ciphers as a last resort.\n  I initially thought it was possible to use downgrade attacks, I now think it is not.</li>\n<li>I briefly disabled RSA because it uses SHA1, this turned out to be a non-issue because we're signing SHA2 hashes.</li>\n</ul>\n<p>You can see the full list of changes on github.\nI promise not to use <code>git push -f</code>.</p>\n\n\n\n<p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p>\n\n<p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p>","tags":["security","post"]},{"location":"archive/2025/","title":"April 2025","text":""},{"location":"archive/2015/","title":"January 2015","text":""},{"location":"category/security/","title":"Security","text":""}]}
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Blog Home","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p>","tags":["index","network-pro","blog"]},{"location":"#blog-home","title":"Blog Home","text":"","tags":["index","network-pro","blog"]},{"location":"contributing/","title":"Code of Conduct","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#contributor-covenant-code-of-conduct","title":"Contributor Covenant Code of Conduct","text":"<p>Network Pro Strategies Effective Date: May 10, 2025</p>","tags":["network-pro","contributing"]},{"location":"contributing/#table-of-contents","title":"Table of Contents","text":"<ul> <li>Our Pledge</li> <li>Our Standards</li> <li>Responsibilities</li> <li>Scope</li> <li>Enforcement</li> <li>Attribution</li> </ul>","tags":["network-pro","contributing"]},{"location":"contributing/#our-pledge","title":"Our Pledge","text":"<p>We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.</p> <p>We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.</p> <p><sub>Back to top</sub></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#our-standards","title":"Our Standards","text":"<p>Examples of behavior that contributes to a positive environment for our community include:</p> <ul> <li>Demonstrating empathy and kindness toward other people</li> <li>Being respectful of differing opinions, viewpoints, and experiences</li> <li>Giving and gracefully accepting constructive feedback</li> <li>Accepting responsibility and apologizing to those affected by our mistakes,   and learning from the experience</li> <li>Focusing on what is best not just for us as individuals, but for the overall   community</li> </ul> <p>Examples of unacceptable behavior include:</p> <ul> <li>The use of sexualized language or imagery, and sexual attention or advances of   any kind</li> <li>Trolling, insulting or derogatory comments, and personal or political attacks</li> <li>Public or private harassment</li> <li>Publishing others' private information, such as a physical or email address,   without their explicit permission</li> <li>Other conduct which could reasonably be considered inappropriate in a   professional setting</li> </ul> <p><sub>Back to top</sub></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#responsibilities","title":"Responsibilities","text":"<p>Company and community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.</p> <p>Company and community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.</p> <p>Network Pro Strategies reserves the right, at its sole discretion, to remove, edit, or reject any contributions that are contrary to or detrimental to its business interests.</p> <p><sub>Back to top</sub></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#scope","title":"Scope","text":"<p>This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the company or community in public spaces. Examples of representing our company or community include using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.</p> <p><sub>Back to top</sub></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#enforcement","title":"Enforcement","text":"<p>Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the abuse team at abuse@neteng.pro. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.</p> <p>The abuse team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.</p> <p>Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project\u2019s leadership.</p> <p><sub>Back to top</sub></p> <p></p>","tags":["network-pro","contributing"]},{"location":"contributing/#attribution","title":"Attribution","text":"<p>This Code of Conduct is adapted from the Contributor Covenant, version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.</p> <p>The Enforcement section is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct/.</p> <p>For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.</p> <p><sub>Back to top</sub></p> <p> <p>Home \u00a0 | \u00a0 Terms of Use Privacy Policy \u00a0 | \u00a0 Legal</p> <p></p> <p> </p> <p> <p>Copyright \u00a9 2025 Network Pro Strategies (Network Pro\u2122)</p> <p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p> <p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p> <p></p>","tags":["network-pro","contributing"]},{"location":"tags/","title":"Tag Index","text":"<p><sup>SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code></sup></p>"},{"location":"tags/#tags","title":"Tags","text":"<p>This page lists all of the tags used in the blog. Click on a tag to see the related articles and posts.</p>"},{"location":"tags/#tag:blog","title":"blog","text":"<ul> <li>            Blog Home          </li> <li>            Our Blog is Live!          </li> </ul>"},{"location":"tags/#tag:contributing","title":"contributing","text":"<ul> <li>            Code of Conduct          </li> </ul>"},{"location":"tags/#tag:index","title":"index","text":"<ul> <li>            Blog Home          </li> </ul>"},{"location":"tags/#tag:network-pro","title":"network-pro","text":"<ul> <li>            Blog Home          </li> <li>            Code of Conduct          </li> <li>            Our Blog is Live!          </li> </ul>"},{"location":"tags/#tag:post","title":"post","text":"<ul> <li>            Secure Secure Shell          </li> </ul>"},{"location":"tags/#tag:security","title":"security","text":"<ul> <li>            Secure Secure Shell          </li> </ul>"},{"location":"author/team/","title":"Network Pro Strategies","text":"<p>Network Pro\u2122 is a remote-first consultancy specializing in network hardening, firewall architecture, cloud security, and secure infrastructure design. We help organizations reduce risk and strengthen their security posture through practical, privacy-aware solutions\u2014offering both short-term support and strategic, long-term partnerships.</p> <p>Below are some of the articles we've published recently:</p>"},{"location":"2025/04/30/our-blog-is-live/","title":"We're Live","text":"","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#welcome-to-the-network-protm-blog-cybersecurity-privacy-open-knowledge","title":"\ud83d\udee1\ufe0f Welcome to the Network Pro\u2122 Blog: Cybersecurity. Privacy. Open Knowledge","text":"<p>In a digital world where threats are persistent and privacy is too often an afterthought, Network Pro Strategies was founded on a belief that effective security doesn't require compromise. We specialize in helping organizations and individuals navigate today\u2019s cybersecurity challenges with confidence, clarity, and control.</p> <p>Today marks the launch of our official blog\u2014your go-to destination for field-tested strategies, implementation insights, and transparent thought leadership across cybersecurity, network defense, and privacy-aware infrastructure.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#why-this-blog-exists","title":"\ud83d\udce1 Why This Blog Exists","text":"<p>Modern security isn\u2019t just about technology\u2014it\u2019s about trust, autonomy, and informed choices. As threats evolve and surveillance becomes normalized, we believe clients deserve more than marketing fluff and opaque solutions.</p> <p>This blog represents our commitment to providing value through:</p> <ul> <li>\ud83d\udcbc SMBs and enterprises needing tailored, scalable security that protects business continuity</li> <li>\ud83c\udfdb\ufe0f Government and compliance-sensitive sectors where resilience and data integrity are mission-critical</li> <li>\ud83d\udc68\u200d\ud83d\udcbb Technologists and privacy-conscious communities seeking reliable strategies and tools that don\u2019t trade transparency for control</li> </ul>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#what-youll-find-here","title":"\ud83d\udcec What You\u2019ll Find Here","text":"<p>You won\u2019t find empty buzzwords or vendor lock-in here. This space is practical, accessible, and real. Expect content grounded in hands-on consulting experience, addressing real-world needs like:</p> <ul> <li>\ud83d\udd10 Guides on securing infrastructure through Zero Trust principles, secure network design, segmentation, and data governance</li> <li>\ud83c\udf10 Exploration of free and open source tools that align with professional-grade expectations for security and usability</li> <li>\ud83d\udcf1 Best practices for mobile and endpoint hardening, including private-by-design communications and de-Googled Android stacks</li> <li>\u2699\ufe0f Scalable implementation tips for building resilient, ethical, and vendor-neutral technology environments</li> </ul> <p>We\u2019ll also publish tutorials, deep dives, and threat-focused analyses to help you anticipate risk, strengthen defenses, and stay informed\u2014no jargon, no gatekeeping.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#our-vision-security-that-respects-you","title":"\u2705 Our Vision: Security That Respects You","text":"<p>At Network Pro\u2122, we believe security should be transparent, adaptable, and aligned with your goals. While we advocate for privacy-first solutions and actively support open technologies, we apply them with discretion\u2014not dogma. Our priority is delivering reliable, resilient results, whether through open source tools or vetted proprietary platforms.</p> <p>We serve as trusted advisors for navigating today\u2019s threat landscape\u2014delivering infrastructure consulting, cloud and hybrid architecture support, and technical guidance rooted in industry experience. Our approach is practical, flexible, and future-focused, designed to protect what matters most without sacrificing visibility or control.</p>","tags":["network-pro","blog"]},{"location":"2025/04/30/our-blog-is-live/#ready-to-build-a-safer-smarter-digital-future","title":"\ud83d\udd10 Ready to Build a Safer, Smarter Digital Future?","text":"<p>Cybersecurity isn\u2019t just a product\u2014it\u2019s a process. Whether you're designing secure networks, navigating digital privacy concerns, or evaluating new tools, Network Pro\u2122 is here to support your mission.</p> <p>Let\u2019s build something secure, sustainable, and respectful of your values.</p> <p>\ud83d\udce9 Contact us today to get started.</p> <p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p> <p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p>","tags":["network-pro","blog"]},{"location":"2015/01/04/secure-secure-shell/","title":"Secure Secure Shell","text":"Originally published on 1/4/2015 by stribika at: https://blog.stribik.technology/2015/01/04/secure-secure-shell.html  Mirrored to preserve information. Minor changes have been made, and this is noted where applicable. Also see: https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices  \ud83d\udcdd NOTE: Despite this article's age, we've yet to come across a better source of information with regard to SSH configuration.  <ul> <li>Skip to the good part.</li> </ul> <p>You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad.</p> <p>TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use.</p> <p>Warning: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.7 and connections to Github. Here is a good compatibility matrix.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#the-crypto","title":"The crypto","text":"<p>Reading the documents, I have the feeling that the NSA can 1) decrypt weak crypto and 2) steal keys. Let's focus on the crypto first. SSH supports different key exchange algorithms, ciphers and message authentication codes. The server and the client choose a set of algorithms supported by both, then proceed with the key exchange. Some of the supported algorithms are not so great and should be disabled completely. This hurts interoperability but everyone uses OpenSSH anyway. Fortunately, downgrade attacks are not possible because the supported algorithm lists are included in the key derivation. If a man in the middle were to change the lists, then the server and the client would calculate different keys.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#key-exchange","title":"Key exchange","text":"<p>There are basically two ways to do key exchange: Diffie-Hellman and Elliptic Curve Diffie-Hellman. Both provide forward secrecy which the NSA hates because they can't use passive collection and key recovery later. The server and the client will end up with a shared secret number at the end without a passive eavesdropper learning anything about this number. After we have a shared secret we have to derive a cryptographic key from this using a key derivation function. In case of SSH, this is a hash function. Collision attacks on this hash function have been proven to allow downgrade attacks.</p> <p>DH works with a multiplicative group of integers modulo a prime. Its security is based on the hardness of the discrete logarithm problem.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#alice-bob","title":"<pre><code>Alice Bob\n<p>Sa = random\nPa = g^Sa --&gt; Pa\nSb = random\nPb &lt;-- Pb = g^Sb\ns = Pb^Sa s = Pa^Sb\nk = KDF(s) k = KDF(s)</p>\n<p>ECDH works with elliptic curves over finite fields.\nIts security is based on the hardness of the elliptic curve discrete logarithm problem.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#alice-bob_1","title":"<pre><code>Alice Bob\n<p>Sa = random\nPa = Sa G --&gt; Pa\nSb = random\nPb &lt;-- Pb = Sb G\ns = Sa Pb s = Sb Pa\nk = KDF(s) k = KDF(s)</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#sshd-configuration","title":"SSHD Configuration\n\n<p>NOTE: Emphasis added, it was not present in the originally published article.\nKey exchange 1 (curve25519-sha256) alone is ideal, 8 is also acceptable for interoperability.</p>\n\n<p>OpenSSH supports 11 key exchange protocols:</p>\n<ol>\n<li>curve25519-sha256: ECDH over Curve25519 with SHA2</li>\n<li>diffie-hellman-group1-sha1: 1024 bit DH with SHA1</li>\n<li>diffie-hellman-group14-sha1: 2048 bit DH with SHA1</li>\n<li>diffie-hellman-group14-sha256: 2048 bit DH with SHA2</li>\n<li>diffie-hellman-group16-sha512: 4096 bit DH with SHA2</li>\n<li>diffie-hellman-group18-sha512: 8192 bit DH with SHA2</li>\n<li>diffie-hellman-group-exchange-sha1: Custom DH with SHA1</li>\n<li>diffie-hellman-group-exchange-sha256: Custom DH with SHA2</li>\n<li>ecdh-sha2-nistp256: ECDH over NIST P-256 with SHA2</li>\n<li>ecdh-sha2-nistp384: ECDH over NIST P-384 with SHA2</li>\n<li>ecdh-sha2-nistp521: ECDH over NIST P-521 with SHA2</li>\n</ol>\n<p>We have to look at 3 things here:</p>\n<ul>\n<li>ECDH curve choice:\n  This eliminates 9-11 because NIST curves suck.\n  They leak secrets through timing side channels and off-curve inputs.\n  Also, NIST is considered harmful and cannot be trusted.</li>\n<li>Bit size of the DH modulus:\n  This eliminates 2 because the NSA has supercomputers and possibly unknown attacks.\n  1024 bits simply don't offer sufficient security margin.</li>\n<li>Security of the hash function:\n  This eliminates 2, 3, and 7 because SHA1 is broken.\n  We don't have to wait for a second preimage attack that takes 10 minutes on a cellphone to disable it right now.</li>\n</ul>\n<p>We are left with 1 and 8, as well as 4-6 which were added in OpenSSH 7.3.\n1 is better and it's perfectly OK to only support that but for interoperability (with Eclipse, WinSCP), 8 can be included.</p>\n\n<p>NOTE: 8 should no longer be necessary in newer versions of WinSCP. If in doubt, test with only 1 first. Add 8 if it won't connect otherwise.</p>\n\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code># Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.\n#Host github.com\n#    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1\n\nHost *\n    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\n\n<p>NOTE: GitHub should no longer need a separate setting, as they've transitioned away from SSH keys. They should not require an exception regardless.</p>\n\n<p>If you chose to enable 8, open <code>/etc/ssh/moduli</code> if exists, and delete lines where the 5th column is less than 2000.</p>\n<pre><code>awk '$5 &gt; 2000' /etc/ssh/moduli &gt; \"${HOME}/moduli\"\nwc -l \"${HOME}/moduli\" # make sure there is something left\nmv \"${HOME}/moduli\" /etc/ssh/moduli</code></pre>\n\n<p>If it does not exist, create it:</p>\n<pre><code>ssh-keygen -G /etc/ssh/moduli.all -b 4096\nssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all\nmv /etc/ssh/moduli.safe /etc/ssh/moduli\nrm /etc/ssh/moduli.all</code></pre>\n\n<p>This will take a while so continue while it's running.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#authentication","title":"Authentication\n<p>The key exchange ensures that the server and the client shares a secret no one else knows.\nWe also have to make sure that they share this secret with each other and not an NSA analyst.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#server-authentication","title":"Server authentication","text":"<p>The server proves its identity to the client by signing the key resulting from the key exchange.\nThere are 4 public key algorithms for authentication:</p>\n<ol>\n<li>DSA with SHA1</li>\n<li>ECDSA with SHA256, SHA384 or SHA512 depending on key size</li>\n<li>Ed25519 with SHA512</li>\n<li>RSA with SHA1</li>\n</ol>\n<p>DSA keys must be exactly 1024 bits so let's disable that.\nNumber 2 here involves NIST suckage and should be disabled as well.\nAnother important disadvantage of DSA and ECDSA is that it uses randomness for each signature.\nIf the random numbers are not the best quality, then it is possible to recover the secret key.\nFortunately, RSA using SHA1 is not a problem here because the value being signed is actually a SHA2 hash.\nThe hash function SHA1(SHA2(x)) is just as secure as SHA2 (it has less bits of course but no better attacks).</p>\n<pre><code>Protocol 2\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key</code></pre>\n\n<p>The first time you connect to your server, you will be asked to accept the new fingerprint.</p>\n<p>This will also disable the horribly broken v1 protocol that you should not have enabled in the first place.\nWe should remove the unused keys and only generate a large RSA key and an Ed25519 key.\nYour init scripts may recreate the unused keys.\nIf you don't want that, remove any <code>ssh-keygen</code> commands from the init script.</p>\n<pre><code>cd /etc/ssh\nrm ssh_host_*key*\nssh-keygen -t ed25519 -f ssh_host_ed25519_key -N \"\" &lt; /dev/null\nssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N \"\" &lt; /dev/null</code></pre>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#client-authentication","title":"Client authentication","text":"<p>The client must prove its identity to the server as well.\nThere are various methods to do that.</p>\n<p>The simplest is password authentication.\nThis should be disabled immediately after setting up a more secure method because it allows compromised servers to steal passwords.\nPassword authentication is also more vulnerable to online bruteforce attacks.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>PasswordAuthentication no\nChallengeResponseAuthentication no</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    PasswordAuthentication no\n    ChallengeResponseAuthentication no</code></pre>\n\n<p>The most common and secure method is public key authentication, basically the same process as the server authentication.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>PubkeyAuthentication yes</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    PubkeyAuthentication yes\n    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa</code></pre>\n\n<p>Generate client keys using the following commands:</p>\n<pre><code>ssh-keygen -t ed25519 -o -a 100\nssh-keygen -t rsa -b 4096 -o -a 100</code></pre>\n\n<p>You can deploy your new client public keys using <code>ssh-copy-id</code>.</p>\n<p>It is also possible to use OTP authentication to reduce the consequences of lost passwords.\nGoogle Authenticator is a nice implementation of TOTP, or Timebased One Time Password.\nYou can also use a printed list of one time passwords or any other PAM module, really, if you enable <code>ChallengeResponseAuthentication</code>.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#user-authentication","title":"User Authentication","text":"<p>Even with Public Key authentication, you should only allow incoming connections from expected users. The <code>AllowUsers</code> setting in <code>sshd_config</code> lets you specify users who are allowed to connect, but this can get complicated with a large number of ssh users. Additionally, when deleting a user from the system, the username is not removed from <code>sshd_config</code>, which adds to maintenance requirements. The solution is to use the <code>AllowGroups</code> setting instead, and add users to an <code>ssh-user</code> group.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>AllowGroups ssh-user</code></pre>\n\n<p>Create the ssh-user group with <code>sudo groupadd ssh-user</code>, then add each ssh user to the group with <code>sudo usermod -a -G ssh-user &lt;username&gt;</code>.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#symmetric-ciphers","title":"Symmetric ciphers\n\n<p>NOTE: Emphasis added.</p>\n\n<p>Symmetric ciphers are used to encrypt the data after the initial key exchange and authentication is complete.</p>\n<p>Here we have quite a few algorithms (10-14 were removed in OpenSSH 7.6):</p>\n<ol>\n<li>3des-cbc</li>\n<li>aes128-cbc</li>\n<li>aes192-cbc</li>\n<li>aes256-cbc</li>\n<li>aes128-ctr</li>\n<li>aes192-ctr</li>\n<li>aes256-ctr</li>\n<li>aes128-gcm@openssh.com</li>\n<li>aes256-gcm@openssh.com</li>\n<li>arcfour</li>\n<li>arcfour128</li>\n<li>arcfour256</li>\n<li>blowfish-cbc</li>\n<li>cast128-cbc</li>\n<li>chacha20-poly1305@openssh.com</li>\n</ol>\n<p>We have to consider the following:</p>\n<ul>\n<li>Security of the cipher algorithm:\n  This eliminates 1 and 10-12 - both DES and RC4 are broken.\n  Again, no need to wait for them to become even weaker, disable them now.</li>\n<li>Key size:\n  At least 128 bits, the more the better.</li>\n<li>Block size:\n  Does not apply to stream ciphers.\n  At least 128 bits.\n  This eliminates 13 and 14 because those have a 64 bit block size.</li>\n<li>Cipher mode:\n  The recommended approach here is to prefer AE modes and optionally allow CTR for compatibility.\n  CTR with Encrypt-then-MAC is provably secure.</li>\n</ul>\n<p>Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does not encrypt message sizes when GCM (or EtM) is in use.\nThis allows some traffic analysis even without decrypting the data.\nWe will deal with that soon.</p>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#message-authentication-codes","title":"Message authentication codes\n\n<p>Emphasis added.</p>\n\n<p>Encryption provides confidentiality, message authentication code provides integrity.\nWe need both.\nIf an AE cipher mode is selected, then extra MACs are not used, the integrity is already given.\nIf CTR is selected, then we need a MAC to calculate and attach a tag to every message.</p>\n<p>There are multiple ways to combine ciphers and MACs - not all of these are useful.\nThe 3 most common:</p>\n<ul>\n<li>Encrypt-then-MAC: encrypt the message, then attach the MAC of the ciphertext.</li>\n<li>MAC-then-encrypt: attach the MAC of the plaintext, then encrypt everything.</li>\n<li>Encrypt-and-MAC: encrypt the message, then attach the MAC of the plaintext.</li>\n</ul>\n<p>Only Encrypt-then-MAC should be used, period.\nUsing MAC-then-encrypt have lead to many attacks on TLS while Encrypt-and-MAC have lead to not quite that many attacks on SSH.\nThe reason for this is that the more you fiddle with an attacker provided message, the more chance the attacker has to gain information through side channels.\nIn case of Encrypt-then-MAC, the MAC is verified and if incorrect, discarded.\nBoom, one step, no timing channels.\nIn case of MAC-then-encrypt, first the attacker provided message has to be decrypted and only then can you verify it.\nDecryption failure (due to invalid CBC padding for example) may take less time than verification failure.\nEncrypt-and-MAC also has to be decrypted first, leading to the same kind of potential side channels.\nIt's even worse because no one said that a MAC's output can't leak what its input was.\nSSH by default, uses this method.</p>\n<p>Here are the available MAC choices:</p>\n<ol>\n<li>hmac-md5</li>\n<li>hmac-md5-96</li>\n<li>hmac-sha1</li>\n<li>hmac-sha1-96</li>\n<li>hmac-sha2-256</li>\n<li>hmac-sha2-512</li>\n<li>umac-64</li>\n<li>umac-128</li>\n<li>hmac-md5-etm@openssh.com</li>\n<li>hmac-md5-96-etm@openssh.com</li>\n<li>hmac-sha1-etm@openssh.com</li>\n<li>hmac-sha1-96-etm@openssh.com</li>\n<li>hmac-sha2-256-etm@openssh.com</li>\n<li>hmac-sha2-512-etm@openssh.com</li>\n<li>umac-64-etm@openssh.com</li>\n<li>umac-128-etm@openssh.com</li>\n</ol>\n<p>The selection considerations:</p>\n<ul>\n<li>Security of the hash algorithm:\n  No MD5 and SHA1.\n  Yes, I know that HMAC-SHA1 does not need collision resistance but why wait?\n  Disable weak crypto today.</li>\n<li>Encrypt-then-MAC:\n  I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail.\n  Since there are no downgrade attacks, you can add them to the end of the list.\n  You can also do this on a host by host basis so you know which ones are less safe.</li>\n<li>Tag size:\n  At least 128 bits.\n  This eliminates umac-64-etm.</li>\n<li>Key size:\n  At least 128 bits.\n  This doesn't eliminate anything at this point.</li>\n</ul>\n<p>Recommended <code>/etc/ssh/sshd_config</code> snippet:</p>\n<pre><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>\n\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#preventing-key-theft","title":"Preventing key theft","text":"<p>Even with forward secrecy the secret keys must be kept secret.\nThe NSA has a database of stolen keys - you do not want your key there.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#system-hardening","title":"System hardening\n<p>OpenSSH has some undocumented, and rarely used features.\nUseRoaming is one such feature with a known vulnerability.</p>\n<p>Recommended <code>/etc/ssh/ssh_config</code> snippet:</p>\n<pre><code>Host *\n   UseRoaming no</code></pre>\n\n<p>This post is not intended to be a comprehensive system security guide.\nVery briefly:</p>\n<ul>\n<li>Don't install what you don't need:\n  Every single line of code has a chance of containing a bug.\n  Some of these bugs are security holes.\n  Fewer lines, fewer holes.</li>\n<li>Use free software:\n  As in speech.\n  You want to use code that's actually reviewed or that you can review yourself.\n  There is no way to achieve that without source code.\n  Someone may have reviewed proprietary crap but who knows.</li>\n<li>Keep your software up to date:\n  New versions often fix critical security holes.</li>\n<li>Exploit mitigation:\n  Sad but true - there will always be security holes in your software.\n  There are things you can do to prevent their exploitation, such as GCC's -fstack-protector.\n  One of the best security projects out there is Grsecurity.\n  Use it or use OpenBSD.</li>\n</ul>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#traffic-analysis-resistance","title":"Traffic analysis resistance\n<p>Set up Tor hidden services for your SSH servers.\nThis has multiple advantages.\nIt provides an additional layer of encryption and server authentication.\nPeople looking at your traffic will not know your IP, so they will be unable to scan and target other services running on the same server and client.\nAttackers can still attack these services but don't know if it has anything to do with the observed traffic until they actually break in.</p>\n<p>Now this is only true if you don't disclose your SSH server's fingerprint in any other way.\nYou should only accept connections from the hidden service or from LAN, if required.</p>\n<p>If you don't need LAN access, you can add the following line to <code>/etc/ssh/sshd_config</code>:</p>\n<pre><code>ListenAddress 127.0.0.1:22</code></pre>\n\n<p>Add this to <code>/etc/tor/torrc</code>:</p>\n<pre><code>HiddenServiceDir /var/lib/tor/hidden_service/ssh\nHiddenServicePort 22 127.0.0.1:22</code></pre>\n\n<p>You will find the hostname you have to use in <code>/var/lib/tor/hidden_service/ssh/hostname</code>.\nYou also have to configure the client to use Tor.\nFor this, socat will be needed.\nAdd the following line to <code>/etc/ssh/ssh_config</code>:</p>\n<pre><code>Host *.onion\n    ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050\n\nHost *\n    ...</code></pre>\n\n<p>If you want to allow connections from LAN, don't use the <code>ListenAddress</code> line, configure your firewall instead.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#key-storage","title":"Key storage\n<p>You should encrypt your client key files using a strong password.\nAdditionally, you can use <code>ssh-keygen -o -a $number</code> to slow down cracking attempts by iterating the hash function many times.\nYou may want to store them on a pendrive and only plug it in when you want to use SSH.\nAre you more likely to lose your pendrive or have your system compromised?\nI don't know.</p>\n<p>Unfortunately, you can't encrypt your server key and it must be always available, or else sshd won't start.\nThe only thing protecting it is OS access controls.</p>","text":"","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#the-end","title":"The end","text":"<p>It's probably a good idea to test the changes.\n<code>ssh -v</code> will print the selected algorithms and also makes problems easier to spot.\nBe extremely careful when configuring SSH on a remote host.\nAlways keep an active session, never restart sshd.\nInstead you can send the <code>SIGHUP</code> signal to reload the configuration without killing your session.\nYou can be even more careful by starting a new sshd instance on a different port and testing that.</p>\n<p>Can you make these changes?\nIf the answer is yes, then...</p>\n<p></p>\n<p>If the answer is no, it's probably due to compatibility problems.\nYou can try to convince the other side to upgrade their security and turn it into a yes.\nI have created a wiki page where anyone can add config files for preserving compatibility with various SSH implementations and SSH based services.</p>\n<p>If you work for a big company and change management doesn't let you do it, I'm sorry.\nI've seen the v1 protocol enabled in such places.\nThere is no chance of improvement.\nGive up to preseve your sanity.</p>\n<p>Special thanks to the people of Twitter for the improvements.</p>","tags":["security","post"]},{"location":"2015/01/04/secure-secure-shell/#changelog","title":"ChangeLog","text":"<p>You may have noticed that this document changed since last time.\nI want to be very transparent about this.\nThere were three major changes:</p>\n<ul>\n<li>After some debate and going back and forth between including GCM or not, it's now back again.\n  The reason for dropping it was that SSH doesn't encrypt packet sizes when using GCM.\n  The reason for bringing it back is that SSH does the same with any EtM algorithms.\n  There is no way around this unless you can live with chacha20-poly1305 only.\n  Also, the leaked documents don't sound like they can figure out the lengths or confirm presence of some things, more like straight up \"send it to us and we'll decrypt it for you\".\n  Wrapping SSH in a Tor hidden service will take care of any traffic analysis concerns.</li>\n<li>I'm now allowing Encrypt-and-MAC algorithms with CTR ciphers as a last resort.\n  I initially thought it was possible to use downgrade attacks, I now think it is not.</li>\n<li>I briefly disabled RSA because it uses SHA1, this turned out to be a non-issue because we're signing SHA2 hashes.</li>\n</ul>\n<p>You can see the full list of changes on github.\nI promise not to use <code>git push -f</code>.</p>\n\n\n\n<p>Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.</p>\n\n<p>Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.</p>","tags":["security","post"]},{"location":"archive/2025/","title":"April 2025","text":""},{"location":"archive/2015/","title":"January 2015","text":""},{"location":"category/security/","title":"Security","text":""}]}

package/sitemap.xml

@@ -2,42 +2,38 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
          <loc>https://blog.netwk.pro/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
-         <loc>https://blog.netwk.pro/ATTRIBUTION/</loc>
-         <lastmod>2025-05-10</lastmod>
-    </url>
-    <url>
-         <loc>https://blog.netwk.pro/CONDUCT/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <loc>https://blog.netwk.pro/contributing/</loc>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/tags/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/author/team/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/2025/04/30/our-blog-is-live/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/2015/01/04/secure-secure-shell/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/archive/2025/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/archive/2015/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
     <url>
          <loc>https://blog.netwk.pro/category/security/</loc>
-         <lastmod>2025-05-10</lastmod>
+         <lastmod>2025-05-11</lastmod>
     </url>
 </urlset>