SSH

Security Onion uses the latest SSH packages. It does not modify the default SSH configuration in /etc/ssh/sshd_config or manage it in any way with Salt. This allows you to add any PAM modules or enable two factor authentication (2FA) of your choosing.

Distributed Deployments

For distributed deployments, nodes only connect to the manager via SSH when they initially join the grid. That initial connection is done using the soremote account. If you enable 2FA for SSH, you will need to disable 2FA for the soremote account. The soremote account can be disabled when you are not adding any nodes to the grid.

Hardening

Some organizations require the removal of certain ciphers and algorithms from sshd. Starting in Security Onion 2.3.10, we have a tool that will do this for you. Simply run so-ssh-harden and then reload the sshd config and verify that you can connect via ssh properly. Alternatively, you can manually modify your sshd_config as follows:

sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config