npm - @networkpro/web - Versions diffs - 0.10.19 → 0.11.0 - Mend

@networkpro/web 0.10.19 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/docs/search/search_index.json ADDED Viewed

@@ -0,0 +1 @@

+ {"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"About Us","text":"SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code> ","tags":["about","network-pro","documentation"]},{"location":"#network-pro-strategies","title":"Network Pro Strategies","text":"","tags":["about","network-pro","documentation"]},{"location":"#securing-your-business-with-expertise-innovation","title":"Securing Your Business with Expertise & Innovation","text":"At Network Pro\u2122, we bring over a decade of expertise in networking, cybersecurity, information security, and IT to help businesses stay secure, compliant, and resilient. We specialize in network security, cybersecurity, and privacy consulting, offering both strategic advisory services and hands-on implementation to protect critical infrastructure and minimize risk.","tags":["about","network-pro","documentation"]},{"location":"#why-network-protm","title":"Why Network Pro\u2122?","text":"\u2714 Security with a Business Focus \u2013 Our approach goes beyond just protection. We integrate cutting-edge security solutions with your business objectives, ensuring optimized operations and long-term resilience. \u2714 Expert-Led Consulting & Implementation \u2013 Whether you need strategic guidance or real-world deployment, we tailor solutions to fit your unique security challenges. \u2714 Advocacy & Education \u2013 We\u2019re committed to empowering businesses, policymakers, and the public with the knowledge and tools needed to navigate today\u2019s complex digital landscape. Our blend of deep technical expertise and business insight ensures that security is not just a safeguard\u2014it\u2019s a strategic advantage that enhances efficiency, customer trust, and operational excellence. \ud83d\udd39 Let\u2019s connect to discuss how we can help secure and strengthen your business today. You can find our PGP keys and a vCard containing our contact information for your convenience below. support@neteng.proPGP Key (ed25519) aexpk / asc 6590b992e2e3eff127387bce2af093e9dec61ba0 github@sl.neteng.ccPGP Key (ed25519) aexpk / asc e8b4f1193b21601207b080bbaebbb8f6d4bb723b vCard vcf Back to top Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies. Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.","tags":["about","network-pro","documentation"]},{"location":"conduct/","title":"Contributor Covenant Code of Conduct","text":"SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code> ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#contributor-covenant-code-of-conduct","title":"Contributor Covenant Code of Conduct","text":"Network Pro Strategies Effective Date: 3/21/2025 ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#contents","title":"Contents","text":"<ul> <li>Our Pledge</li> <li>Our Standards</li> <li>Responsibilities</li> <li>Scope</li> <li>Enforcement</li> <li>Attribution</li> </ul>","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#our-pledge","title":"Our Pledge","text":"We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation. We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. Back to top ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#our-standards","title":"Our Standards","text":"Examples of behavior that contributes to a positive environment for our community include: <ul> <li>Demonstrating empathy and kindness toward other people</li> <li>Being respectful of differing opinions, viewpoints, and experiences</li> <li>Giving and gracefully accepting constructive feedback</li> <li>Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience</li> <li>Focusing on what is best not just for us as individuals, but for the overall community</li> </ul> Examples of unacceptable behavior include: <ul> <li>The use of sexualized language or imagery, and sexual attention or advances of any kind</li> <li>Trolling, insulting or derogatory comments, and personal or political attacks</li> <li>Public or private harassment</li> <li>Publishing others' private information, such as a physical or email address, without their explicit permission</li> <li>Other conduct which could reasonably be considered inappropriate in a professional setting</li> </ul> Back to top ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#responsibilities","title":"Responsibilities","text":"Company and community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful. Company and community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate. Network Pro Strategies reserves the right, at its sole discretion, to remove, edit, or reject any contributions that are contrary to or detrimental to its business interests. Back to top ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#scope","title":"Scope","text":"This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the company or community in public spaces. Examples of representing our company or community include using an official email address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Back to top ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#enforcement","title":"Enforcement","text":"Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the abuse team at abuse@neteng.pro. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The abuse team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project\u2019s leadership. Back to top ","tags":["code-of-conduct","network-pro","documentation"]},{"location":"conduct/#attribution","title":"Attribution","text":"This Code of Conduct is adapted from the Contributor Covenant, version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. The Enforcement section is adapted from the Contributor Covenant, version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct/. For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. Back to top Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies. Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.","tags":["code-of-conduct","network-pro","documentation"]},{"location":"legal/","title":"Legal, Copyright, and Licensing","text":"SPDX-License-Identifier: <code>CC-BY-4.0 OR GPL-3.0-or-later</code> ","tags":["legal","network-pro","documentation"]},{"location":"legal/#legal-copyright-and-licensing","title":"Legal, Copyright, and Licensing","text":"Network Pro Strategies Effective Date: April 21, 2025 ","tags":["legal","network-pro","documentation"]},{"location":"legal/#table-of-contents","title":"Table of Contents","text":"<ol> <li>Copyright</li> <li>Trademark Ownership</li> <li>Restrictions on Branding and Graphics</li> <li>Licensed Material Definition</li> <li>License Terms</li> <li>Dual Licensing Notes</li> <li>Creative Commons License (CC BY 4.0)</li> <li>GNU General Public License (GPL)</li> <li>Third-Party Code and Licenses</li> <li>Prohibited Uses</li> <li>Modifications and Liability Disclaimer</li> <li>Contact</li> <li>Revisions</li> <li>Attribution</li> </ol> Formats Available: HTML | Markdown ","tags":["legal","network-pro","documentation"]},{"location":"legal/#1-copyright","title":"1. Copyright","text":"All content\u2014including text, software, logos, graphics, documentation, and other materials\u2014provided by Network Pro Strategies (\u201cNetwork Pro\u201d, \u201cCompany\u201d, \u201cLicensor\u201d) is protected by U.S. and international copyright laws. Copyright \u00a9 2025 Network Pro Strategies (Network Pro\u2122) ","tags":["legal","network-pro","documentation"]},{"location":"legal/#2-trademark-ownership","title":"2. Trademark Ownership","text":"The following trademarks are the exclusive property of the Company: <ul> <li>Brand Name: Network Pro\u2122</li> <li>Domain Names: netwk.pro, neteng.pro, neteng.cc</li> <li>Logo: The shield logo displayed on our homepage</li> <li>Slogan: \"Locking Down Networks, Unlocking Confidence\u2122\"</li> </ul> Unauthorized use\u2014including use likely to cause confusion, misrepresentation, or disparagement\u2014is strictly prohibited. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#3-restrictions-on-branding-and-graphics","title":"3. Restrictions on Branding and Graphics","text":"Licensing under CC BY 4.0 or the GNU GPL expressly excludes any rights to use the Company\u2019s trademarks, trade dress, logos, visual branding, or other proprietary identifiers. Such elements are not part of the Licensed Material and remain the exclusive property of the Company. Any use of these elements\u2014including within derivative works or promotional content\u2014requires the Company\u2019s prior written consent. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#4-licensed-material-definition","title":"4. Licensed Material Definition","text":"\u201cLicensed Material\u201d refers solely to the publicly available code and documentation distributed through the Company\u2019s open repositories and websites. It expressly excludes all third-party content, proprietary brand assets (including logos, trademarks, and visual designs), and any internal or commercial backend systems. For clarity, the Company itself is not licensed under, nor subject to, the terms of the open-source or content licenses described in this document. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#5-license-terms","title":"5. License Terms","text":"This work is dual-licensed under: <ul> <li>Creative Commons Attribution 4.0 International (CC BY 4.0)</li> <li>GNU General Public License v3.0 or later (GNU GPL)</li> </ul> ","tags":["legal","network-pro","documentation"]},{"location":"legal/#6-dual-licensing-notes","title":"6. Dual Licensing Notes","text":"<ul> <li>You may choose to use the work under either license, or both where appropriate.</li> <li>See Creative Commons FAQ: Separate agreements</li> <li>See GPL compatibility: GPL FAQ</li> </ul> Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#6-creative-commons-license-cc-by-40","title":"6. Creative Commons License (CC BY 4.0)","text":"Formats: HTML | Markdown | Text | RDFa | XMP Network Pro\u2122 (the \"Licensed Material\") is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) . Per the terms of the License, you are free to distribute, remix, adapt, and build upon the Licensed Material for any purpose, even commercially. You must give appropriate credit, provide a link to the License, and indicate if changes were made. Permissions beyond the scope of this License\u2014or instead of those permitted by this License\u2014may be available as further defined within this document. <code> <ul> <li>SPDX Reference: https://spdx.org/licenses/CC-BY-4.0.html</li> <li>Canonical URL: https://creativecommons.org/licenses/by/4.0/</li> </ul> Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#7-gnu-general-public-license-gpl","title":"7. GNU General Public License (GPL)","text":"Formats: HTML | Markdown | Text | RDFa | ODT Network Pro\u2122 is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License (GNU GPL) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. You should have received a copy of the GNU General Public License along with this material. If not, see <https://www.gnu.org/licenses/>. <code> <ul> <li>SPDX Reference: https://spdx.org/licenses/GPL-3.0-or-later.html</li> <li>Canonical URL: https://www.gnu.org/licenses/gpl-3.0.html</li> </ul> Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#9-third-party-code-and-licenses","title":"9. Third-Party Code and Licenses","text":"Some components of the Licensed Material may include or interface with third-party libraries, frameworks, or assets. Each third-party component is governed solely by its own license terms and is expressly excluded from the scope of this document. The inclusion, reference, or linking of any third-party content does not constitute endorsement, approval, or warranty by the Company. It is the user's responsibility to review, understand, and comply with all applicable third-party licenses before use, modification, or distribution. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#9-prohibited-uses","title":"9. Prohibited Uses","text":"The following activities are strictly prohibited and may constitute infringement or unfair competition under applicable law, unless explicitly authorized in writing by the Company: <ul> <li>Use of any Company trademarks, logos, domain names, slogans, or other brand identifiers</li> <li>Any representation\u2014explicit or implied\u2014that suggests endorsement, affiliation, or partnership with the Company</li> <li>Misuse, unauthorized use, or misrepresentation of the Company\u2019s intellectual property</li> <li>Incorporation of any Company branding or protected identifiers into derivative works, forks, distributions, or promotional materials</li> </ul> Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#10-modifications-and-liability-disclaimer","title":"10. Modifications and Liability Disclaimer","text":"Modifications, redistribution, or any use of the Licensed Material are performed entirely at your own risk. THE LICENSED MATERIAL IS PROVIDED \u201cAS IS\u201d AND \u201cAS AVAILABLE,\u201d WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ACCURACY. The Company shall not be liable for any direct, indirect, incidental, consequential, special, exemplary, or punitive damages arising from or related to the use, reproduction, modification, or distribution of the Licensed Material\u2014including, without limitation, any claims or disputes brought by third parties, whether in contract, tort, or otherwise. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#11-contact","title":"11. Contact","text":"The Company may be contacted via our contact form or by email at: \ud83d\udce7 <code>support (at) neteng.pro</code> Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#12-revisions","title":"12. Revisions","text":"This legal page may be updated to comply with legal or operational changes. The current effective date is listed at the top of this document. Back to top ","tags":["legal","network-pro","documentation"]},{"location":"legal/#13-attribution","title":"13. Attribution","text":"Website base structure provided by HTML5 Boilerplate: <https://html5boilerplate.com/>> <pre><code>Copyright (c) HTML5 Boilerplate\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n</code></pre> Back to top Network Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies. Licensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.","tags":["legal","network-pro","documentation"]},{"location":"secure-secure-shell/","title":"Secure Secure Shell","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#secure-secure-shell","title":"Secure Secure Shell","text":"Originally published on 1/4/2015 as \"Secure Secure Shell\" by stribika at: https://blog.stribik.technology/2015/01/04/secure-secure-shell.html Mirrored to preserve information. Minor changes have been made. This is noted where applicable. Also see: https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices \ud83d\udcdd NOTE: Despite this article's age, we've yet to come across a better source of information with regard to SSH configuration. <ul> <li>Skip to the good part.</li> </ul> You may have heard that the NSA can decrypt SSH at least some of the time. If you have not, then read the latest batch of Snowden documents now. All of it. This post will still be here when you finish. My goal with this post here is to make NSA analysts sad. TL;DR: Scan this post for fixed width fonts, these will be the config file snippets and commands you have to use. Warning: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.7 and connections to Github. Here is a good compatibility matrix.","tags":["security","documentation"]},{"location":"secure-secure-shell/#the-crypto","title":"The crypto","text":"Reading the documents, I have the feeling that the NSA can 1) decrypt weak crypto and 2) steal keys. Let's focus on the crypto first. SSH supports different key exchange algorithms, ciphers and message authentication codes. The server and the client choose a set of algorithms supported by both, then proceed with the key exchange. Some of the supported algorithms are not so great and should be disabled completely. This hurts interoperability but everyone uses OpenSSH anyway. Fortunately, downgrade attacks are not possible because the supported algorithm lists are included in the key derivation. If a man in the middle were to change the lists, then the server and the client would calculate different keys.","tags":["security","documentation"]},{"location":"secure-secure-shell/#key-exchange","title":"Key exchange","text":"There are basically two ways to do key exchange: Diffie-Hellman and Elliptic Curve Diffie-Hellman. Both provide forward secrecy which the NSA hates because they can't use passive collection and key recovery later. The server and the client will end up with a shared secret number at the end without a passive eavesdropper learning anything about this number. After we have a shared secret we have to derive a cryptographic key from this using a key derivation function. In case of SSH, this is a hash function. Collision attacks on this hash function have been proven to allow downgrade attacks. DH works with a multiplicative group of integers modulo a prime. Its security is based on the hardness of the discrete logarithm problem.","tags":["security","documentation"]},{"location":"secure-secure-shell/#alice-bob","title":"<pre><code>Alice Bob\nSa = random\nPa = g^Sa --> Pa\nSb = random\nPb <-- Pb = g^Sb\ns = Pb^Sa s = Pa^Sb\nk = KDF(s) k = KDF(s)\nECDH works with elliptic curves over finite fields.\nIts security is based on the hardness of the elliptic curve discrete logarithm problem.","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#alice-bob_1","title":"<pre><code>Alice Bob\nSa = random\nPa = Sa G --> Pa\nSb = random\nPb <-- Pb = Sb G\ns = Sa Pb s = Sb Pa\nk = KDF(s) k = KDF(s)","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#sshd-configuration","title":"SSHD Configuration\n\nEmphasis added, it was not present in the originally published article.\nKey exchange 1 (curve25519-sha256) is ideal, 8 is also acceptable.\n\nOpenSSH supports 11 key exchange protocols:\n<ol>\n<li>curve25519-sha256: ECDH over Curve25519 with SHA2</li>\n<li>~~diffie-hellman-group1-sha1: 1024 bit DH with SHA1~~</li>\n<li>~~diffie-hellman-group14-sha1: 2048 bit DH with SHA1~~</li>\n<li>diffie-hellman-group14-sha256: 2048 bit DH with SHA2</li>\n<li>diffie-hellman-group16-sha512: 4096 bit DH with SHA2</li>\n<li>diffie-hellman-group18-sha512: 8192 bit DH with SHA2</li>\n<li>~~diffie-hellman-group-exchange-sha1: Custom DH with SHA1~~</li>\n<li>diffie-hellman-group-exchange-sha256: Custom DH with SHA2</li>\n<li>~~ecdh-sha2-nistp256: ECDH over NIST P-256 with SHA2~~</li>\n<li>~~ecdh-sha2-nistp384: ECDH over NIST P-384 with SHA2~~</li>\n<li>~~ecdh-sha2-nistp521: ECDH over NIST P-521 with SHA2~~</li>\n</ol>\nWe have to look at 3 things here:\n<ul>\n<li>ECDH curve choice:\n This eliminates 9-11 because NIST curves suck.\n They leak secrets through timing side channels and off-curve inputs.\n Also, NIST is considered harmful and cannot be trusted.</li>\n<li>Bit size of the DH modulus:\n This eliminates 2 because the NSA has supercomputers and possibly unknown attacks.\n 1024 bits simply don't offer sufficient security margin.</li>\n<li>Security of the hash function:\n This eliminates 2, 3, and 7 because SHA1 is broken.\n We don't have to wait for a second preimage attack that takes 10 minutes on a cellphone to disable it right now.</li>\n</ul>\nWe are left with 1 and 8, as well as 4-6 which were added in OpenSSH 7.3.\n1 is better and it's perfectly OK to only support that but for interoperability (with Eclipse, WinSCP), 8 can be included.\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code># Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.\n#Host github.com\n# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1\n\nHost *\n KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256</code></pre>\n\nIf you chose to enable 8, open <code>/etc/ssh/moduli</code> if exists, and delete lines where the 5th column is less than 2000.\n<pre><code>awk '$5 > 2000' /etc/ssh/moduli > \"${HOME}/moduli\"\nwc -l \"${HOME}/moduli\" # make sure there is something left\nmv \"${HOME}/moduli\" /etc/ssh/moduli</code></pre>\n\nIf it does not exist, create it:\n<pre><code>ssh-keygen -G /etc/ssh/moduli.all -b 4096\nssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all\nmv /etc/ssh/moduli.safe /etc/ssh/moduli\nrm /etc/ssh/moduli.all</code></pre>\n\nThis will take a while so continue while it's running.","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#authentication","title":"Authentication\nThe key exchange ensures that the server and the client shares a secret no one else knows.\nWe also have to make sure that they share this secret with each other and not an NSA analyst.","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#server-authentication","title":"Server authentication","text":"The server proves its identity to the client by signing the key resulting from the key exchange.\nThere are 4 public key algorithms for authentication:\n<ol>\n<li>DSA with SHA1</li>\n<li>ECDSA with SHA256, SHA384 or SHA512 depending on key size</li>\n<li>Ed25519 with SHA512</li>\n<li>RSA with SHA1</li>\n</ol>\nDSA keys must be exactly 1024 bits so let's disable that.\nNumber 2 here involves NIST suckage and should be disabled as well.\nAnother important disadvantage of DSA and ECDSA is that it uses randomness for each signature.\nIf the random numbers are not the best quality, then it is possible to recover the secret key.\nFortunately, RSA using SHA1 is not a problem here because the value being signed is actually a SHA2 hash.\nThe hash function SHA1(SHA2(x)) is just as secure as SHA2 (it has less bits of course but no better attacks).\n<pre><code>Protocol 2\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key</code></pre>\n\nThe first time you connect to your server, you will be asked to accept the new fingerprint.\nThis will also disable the horribly broken v1 protocol that you should not have enabled in the first place.\nWe should remove the unused keys and only generate a large RSA key and an Ed25519 key.\nYour init scripts may recreate the unused keys.\nIf you don't want that, remove any <code>ssh-keygen</code> commands from the init script.\n<pre><code>cd /etc/ssh\nrm ssh_host_*key*\nssh-keygen -t ed25519 -f ssh_host_ed25519_key -N \"\" < /dev/null\nssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N \"\" < /dev/null</code></pre>","tags":["security","documentation"]},{"location":"secure-secure-shell/#client-authentication","title":"Client authentication","text":"The client must prove its identity to the server as well.\nThere are various methods to do that.\nThe simplest is password authentication.\nThis should be disabled immediately after setting up a more secure method because it allows compromised servers to steal passwords.\nPassword authentication is also more vulnerable to online bruteforce attacks.\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>PasswordAuthentication no\nChallengeResponseAuthentication no</code></pre>\n\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code>Host *\n PasswordAuthentication no\n ChallengeResponseAuthentication no</code></pre>\n\nThe most common and secure method is public key authentication, basically the same process as the server authentication.\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>PubkeyAuthentication yes</code></pre>\n\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code>Host *\n PubkeyAuthentication yes\n HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa</code></pre>\n\nGenerate client keys using the following commands:\n<pre><code>ssh-keygen -t ed25519 -o -a 100\nssh-keygen -t rsa -b 4096 -o -a 100</code></pre>\n\nYou can deploy your new client public keys using <code>ssh-copy-id</code>.\nIt is also possible to use OTP authentication to reduce the consequences of lost passwords.\nGoogle Authenticator is a nice implementation of TOTP, or Timebased One Time Password.\nYou can also use a printed list of one time passwords or any other PAM module, really, if you enable <code>ChallengeResponseAuthentication</code>.","tags":["security","documentation"]},{"location":"secure-secure-shell/#user-authentication","title":"User Authentication","text":"Even with Public Key authentication, you should only allow incoming connections from expected users. The <code>AllowUsers</code> setting in <code>sshd_config</code> lets you specify users who are allowed to connect, but this can get complicated with a large number of ssh users. Additionally, when deleting a user from the system, the username is not removed from <code>sshd_config</code>, which adds to maintenance requirements. The solution is to use the <code>AllowGroups</code> setting instead, and add users to an <code>ssh-user</code> group.\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>AllowGroups ssh-user</code></pre>\n\nCreate the ssh-user group with <code>sudo groupadd ssh-user</code>, then add each ssh user to the group with <code>sudo usermod -a -G ssh-user <username></code>.","tags":["security","documentation"]},{"location":"secure-secure-shell/#symmetric-ciphers","title":"Symmetric ciphers\n\nEmphasis added.\n\nSymmetric ciphers are used to encrypt the data after the initial key exchange and authentication is complete.\nHere we have quite a few algorithms (10-14 were removed in OpenSSH 7.6):\n<ol>\n<li>~~3des-cbc~~</li>\n<li>~~aes128-cbc~~</li>\n<li>~~aes192-cbc~~</li>\n<li>~~aes256-cbc~~</li>\n<li>aes128-ctr</li>\n<li>aes192-ctr</li>\n<li>aes256-ctr</li>\n<li>aes128-gcm@openssh.com</li>\n<li>aes256-gcm@openssh.com</li>\n<li>~~arcfour~~</li>\n<li>~~arcfour128~~</li>\n<li>~~arcfour256~~</li>\n<li>~~blowfish-cbc~~</li>\n<li>~~cast128-cbc~~</li>\n<li>chacha20-poly1305@openssh.com</li>\n</ol>\nWe have to consider the following:\n<ul>\n<li>Security of the cipher algorithm:\n This eliminates 1 and 10-12 - both DES and RC4 are broken.\n Again, no need to wait for them to become even weaker, disable them now.</li>\n<li>Key size:\n At least 128 bits, the more the better.</li>\n<li>Block size:\n Does not apply to stream ciphers.\n At least 128 bits.\n This eliminates 13 and 14 because those have a 64 bit block size.</li>\n<li>Cipher mode:\n The recommended approach here is to prefer AE modes and optionally allow CTR for compatibility.\n CTR with Encrypt-then-MAC is provably secure.</li>\n</ul>\nChacha20-poly1305 is preferred over AES-GCM because the SSH protocol does not encrypt message sizes when GCM (or EtM) is in use.\nThis allows some traffic analysis even without decrypting the data.\nWe will deal with that soon.\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>\n\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code>Host *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</code></pre>","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#message-authentication-codes","title":"Message authentication codes\n\nEmphasis added.\n\nEncryption provides confidentiality, message authentication code provides integrity.\nWe need both.\nIf an AE cipher mode is selected, then extra MACs are not used, the integrity is already given.\nIf CTR is selected, then we need a MAC to calculate and attach a tag to every message.\nThere are multiple ways to combine ciphers and MACs - not all of these are useful.\nThe 3 most common:\n<ul>\n<li>Encrypt-then-MAC: encrypt the message, then attach the MAC of the ciphertext.</li>\n<li>MAC-then-encrypt: attach the MAC of the plaintext, then encrypt everything.</li>\n<li>Encrypt-and-MAC: encrypt the message, then attach the MAC of the plaintext.</li>\n</ul>\nOnly Encrypt-then-MAC should be used, period.\nUsing MAC-then-encrypt have lead to many attacks on TLS while Encrypt-and-MAC have lead to not quite that many attacks on SSH.\nThe reason for this is that the more you fiddle with an attacker provided message, the more chance the attacker has to gain information through side channels.\nIn case of Encrypt-then-MAC, the MAC is verified and if incorrect, discarded.\nBoom, one step, no timing channels.\nIn case of MAC-then-encrypt, first the attacker provided message has to be decrypted and only then can you verify it.\nDecryption failure (due to invalid CBC padding for example) may take less time than verification failure.\nEncrypt-and-MAC also has to be decrypted first, leading to the same kind of potential side channels.\nIt's even worse because no one said that a MAC's output can't leak what its input was.\nSSH by default, uses this method.\nHere are the available MAC choices:\n<ol>\n<li>~~hmac-md5~~</li>\n<li>~~hmac-md5-96~~</li>\n<li>~~hmac-sha1~~</li>\n<li>~~hmac-sha1-96~~</li>\n<li>hmac-sha2-256</li>\n<li>hmac-sha2-512</li>\n<li>~~umac-64~~</li>\n<li>umac-128</li>\n<li>~~hmac-md5-etm@openssh.com~~</li>\n<li>~~hmac-md5-96-etm@openssh.com~~</li>\n<li>~~hmac-sha1-etm@openssh.com~~</li>\n<li>~~hmac-sha1-96-etm@openssh.com~~</li>\n<li>hmac-sha2-256-etm@openssh.com</li>\n<li>hmac-sha2-512-etm@openssh.com</li>\n<li>~~umac-64-etm@openssh.com~~</li>\n<li>umac-128-etm@openssh.com</li>\n</ol>\nThe selection considerations:\n<ul>\n<li>Security of the hash algorithm:\n No MD5 and SHA1.\n Yes, I know that HMAC-SHA1 does not need collision resistance but why wait?\n Disable weak crypto today.</li>\n<li>Encrypt-then-MAC:\n I am not aware of a security proof for CTR-and-HMAC but I also don't think CTR decryption can fail.\n Since there are no downgrade attacks, you can add them to the end of the list.\n You can also do this on a host by host basis so you know which ones are less safe.</li>\n<li>Tag size:\n At least 128 bits.\n This eliminates umac-64-etm.</li>\n<li>Key size:\n At least 128 bits.\n This doesn't eliminate anything at this point.</li>\n</ul>\nRecommended <code>/etc/ssh/sshd_config</code> snippet:\n<pre><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>\n\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code>Host *\n MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com</code></pre>","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#preventing-key-theft","title":"Preventing key theft","text":"Even with forward secrecy the secret keys must be kept secret.\nThe NSA has a database of stolen keys - you do not want your key there.","tags":["security","documentation"]},{"location":"secure-secure-shell/#system-hardening","title":"System hardening\nOpenSSH has some undocumented, and rarely used features.\nUseRoaming is one such feature with a known vulnerability.\nRecommended <code>/etc/ssh/ssh_config</code> snippet:\n<pre><code>Host *\n UseRoaming no</code></pre>\n\nThis post is not intended to be a comprehensive system security guide.\nVery briefly:\n<ul>\n<li>Don't install what you don't need:\n Every single line of code has a chance of containing a bug.\n Some of these bugs are security holes.\n Fewer lines, fewer holes.</li>\n<li>Use free software:\n As in speech.\n You want to use code that's actually reviewed or that you can review yourself.\n There is no way to achieve that without source code.\n Someone may have reviewed proprietary crap but who knows.</li>\n<li>Keep your software up to date:\n New versions often fix critical security holes.</li>\n<li>Exploit mitigation:\n Sad but true - there will always be security holes in your software.\n There are things you can do to prevent their exploitation, such as GCC's -fstack-protector.\n One of the best security projects out there is Grsecurity.\n Use it or use OpenBSD.</li>\n</ul>","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#traffic-analysis-resistance","title":"Traffic analysis resistance\nSet up Tor hidden services for your SSH servers.\nThis has multiple advantages.\nIt provides an additional layer of encryption and server authentication.\nPeople looking at your traffic will not know your IP, so they will be unable to scan and target other services running on the same server and client.\nAttackers can still attack these services but don't know if it has anything to do with the observed traffic until they actually break in.\nNow this is only true if you don't disclose your SSH server's fingerprint in any other way.\nYou should only accept connections from the hidden service or from LAN, if required.\nIf you don't need LAN access, you can add the following line to <code>/etc/ssh/sshd_config</code>:\n<pre><code>ListenAddress 127.0.0.1:22</code></pre>\n\nAdd this to <code>/etc/tor/torrc</code>:\n<pre><code>HiddenServiceDir /var/lib/tor/hidden_service/ssh\nHiddenServicePort 22 127.0.0.1:22</code></pre>\n\nYou will find the hostname you have to use in <code>/var/lib/tor/hidden_service/ssh/hostname</code>.\nYou also have to configure the client to use Tor.\nFor this, socat will be needed.\nAdd the following line to <code>/etc/ssh/ssh_config</code>:\n<pre><code>Host *.onion\n ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050\n\nHost *\n ...</code></pre>\n\nIf you want to allow connections from LAN, don't use the <code>ListenAddress</code> line, configure your firewall instead.","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#key-storage","title":"Key storage\nYou should encrypt your client key files using a strong password.\nAdditionally, you can use <code>ssh-keygen -o -a $number</code> to slow down cracking attempts by iterating the hash function many times.\nYou may want to store them on a pendrive and only plug it in when you want to use SSH.\nAre you more likely to lose your pendrive or have your system compromised?\nI don't know.\nUnfortunately, you can't encrypt your server key and it must be always available, or else sshd won't start.\nThe only thing protecting it is OS access controls.","text":"","tags":["security","documentation"]},{"location":"secure-secure-shell/#the-end","title":"The end","text":"It's probably a good idea to test the changes.\n<code>ssh -v</code> will print the selected algorithms and also makes problems easier to spot.\nBe extremely careful when configuring SSH on a remote host.\nAlways keep an active session, never restart sshd.\nInstead you can send the <code>SIGHUP</code> signal to reload the configuration without killing your session.\nYou can be even more careful by starting a new sshd instance on a different port and testing that.\nCan you make these changes?\nIf the answer is yes, then...\n\nIf the answer is no, it's probably due to compatibility problems.\nYou can try to convince the other side to upgrade their security and turn it into a yes.\nI have created a wiki page where anyone can add config files for preserving compatibility with various SSH implementations and SSH based services.\nIf you work for a big company and change management doesn't let you do it, I'm sorry.\nI've seen the v1 protocol enabled in such places.\nThere is no chance of improvement.\nGive up to preseve your sanity.\nSpecial thanks to the people of Twitter for the improvements.","tags":["security","documentation"]},{"location":"secure-secure-shell/#changelog","title":"ChangeLog","text":"You may have noticed that this document changed since last time.\nI want to be very transparent about this.\nThere were three major changes:\n<ul>\n<li>After some debate and going back and forth between including GCM or not, it's now back again.\n The reason for dropping it was that SSH doesn't encrypt packet sizes when using GCM.\n The reason for bringing it back is that SSH does the same with any EtM algorithms.\n There is no way around this unless you can live with chacha20-poly1305 only.\n Also, the leaked documents don't sound like they can figure out the lengths or confirm presence of some things, more like straight up \"send it to us and we'll decrypt it for you\".\n Wrapping SSH in a Tor hidden service will take care of any traffic analysis concerns.</li>\n<li>I'm now allowing Encrypt-and-MAC algorithms with CTR ciphers as a last resort.\n I initially thought it was possible to use downgrade attacks, I now think it is not.</li>\n<li>I briefly disabled RSA because it uses SHA1, this turned out to be a non-issue because we're signing SHA2 hashes.</li>\n</ul>\nYou can see the full list of changes on github.\nI promise not to use <code>git push -f</code>.\n\n\n\nNetwork Pro\u2122, the shield logo, and the \"Locking Down Networks\u2122\" slogan are trademarks of Network Pro Strategies.\n\nLicensed under CC BY 4.0 and the GNU GPL, as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.","tags":["security","documentation"]}]}