Why SSH Server Auditing is Essential
SSH (Secure Shell) is the primary remote access protocol for Linux servers. A misconfigured SSH server can expose your infrastructure to brute-force attacks, man-in-the-middle exploits, and unauthorized access. Despite SSH being "secure by design," the default configuration on most distributions prioritizes compatibility over security.
Common SSH misconfigurations include allowing root login with passwords, using deprecated ciphers like 3des-cbc, keeping DSA host keys active, and permitting X11 forwarding on production servers. These issues accumulate over time as servers are provisioned from templates or inherited from other teams.
dargslan-ssh-audit automates the entire SSH configuration review process. It reads your sshd_config file, checks every security-relevant setting against industry best practices, and produces actionable recommendations β all without external dependencies.
Install dargslan-ssh-audit
pip install dargslan-ssh-auditZero dependencies. Works on any Linux distribution with Python 3.7+. The tool reads /etc/ssh/sshd_config by default but accepts custom paths for non-standard installations.
CLI Usage: Full Security Report
dargslan-ssh reportThis command reads your SSH configuration and displays a comprehensive security report covering root login, password authentication, empty passwords, protocol version, max auth tries, X11 forwarding, host key types, and authorized_keys file permissions.
Check Specific Settings
# List all security issues
dargslan-ssh issues
# Check host key types (ed25519, ecdsa, rsa, dsa)
dargslan-ssh keys
# Audit authorized_keys files for all users
dargslan-ssh auth-keys
# JSON output for automation
dargslan-ssh jsonPython API: Programmatic Auditing
from dargslan_ssh_audit import SSHAudit
# Initialize with default or custom config path
sa = SSHAudit()
# sa = SSHAudit(config_path="/etc/ssh/sshd_config.d/custom.conf")
# Run full audit
issues = sa.audit()
for issue in issues:
print(f"[{issue[\"severity\"]}] {issue[\"setting\"]}: {issue[\"message\"]}")
# Check individual settings
root_login = sa.check_root_login()
print(f"PermitRootLogin: {root_login[\"value\"]} - Secure: {root_login[\"secure\"]}")
password_auth = sa.check_password_auth()
ciphers = sa.check_ciphers()
host_keys = sa.check_host_keys()
# Print formatted report
sa.print_report()What the Audit Checks
The SSH audit covers these critical security settings:
- PermitRootLogin β Should be "no" or "prohibit-password". Allowing root login with passwords is the most common SSH attack vector.
- PasswordAuthentication β Should be "no" on production servers. Key-based authentication is significantly more secure than passwords.
- PermitEmptyPasswords β Must be "no". Empty passwords allow anyone to log in without credentials.
- Protocol β Must be "2". SSHv1 has known cryptographic weaknesses.
- MaxAuthTries β Should be 3-4. Higher values give attackers more brute-force attempts per connection.
- X11Forwarding β Should be disabled on servers. X11 forwarding creates an attack surface for privilege escalation.
- Ciphers β Weak ciphers like 3des-cbc, aes128-cbc, blowfish-cbc should be removed.
- MACs β Weak MACs like hmac-md5, hmac-sha1 should be replaced with ETM variants.
- Host Keys β DSA keys are deprecated. Prefer ed25519 or ecdsa.
Integration with CI/CD
Use dargslan-ssh-audit in your infrastructure-as-code pipelines to verify SSH hardening across all servers:
import sys
from dargslan_ssh_audit import SSHAudit
sa = SSHAudit()
issues = sa.audit()
critical = [i for i in issues if i["severity"] == "critical"]
if critical:
print(f"FAIL: {len(critical)} critical SSH issues found")
for i in critical:
print(f" {i[\"setting\"]}: {i[\"message\"]}")
sys.exit(1)
else:
print("PASS: SSH configuration meets security standards")Download the SSH Security Cheat Sheet
Get our SSH Security Audit Cheat Sheet β a printable PDF covering every critical sshd_config setting, recommended ciphers, MACs, and key exchange algorithms.
Related Tools
Explore our full suite of 20+ Python CLI tools for Linux administration. For comprehensive coverage, check out our Linux security and DevOps eBooks at dargslan.com.
