throwaway2048

The section on openssh misses some things like ssh certificates:

SSH certificates are a CA type model for openssh, where you can trust one key, and anything it signs will be trusted, great for stuff like cloud/server deployments and reimaging, way way too many people either blindly trust new ssh keys, or just disable server fingerprint checking entirely, opening yourself up to trivial MITM attacks.

you can also restrict user keys themselves to a subset of ssh functionality, rather than trying to lock down individual users via ssh config etc.

You should be careful specifying an explicit list of ciphers/kex/key/etc acceptable algos, because the openssh defaults and included algos have changed with time, and by setting an explicit list, you will not get any new ones as they are added (for instance they have recently added experimental post quantum crypto support), nor will weak ones be removed. If you need to add options to connect to older servers that do not support newer, stronger crypto its recommended you prefix them with + so they are added in addition to the reasonably secure defaults, not replacing them.

The mozilla recommendations list also fails to mention that stuff like sftp can be chrooted, and other ssh functionality disabled so it functions more like a secure alternative to ftp, and less like a tool to run remote commands.

kangistaken

that is true, though contributions can be made (I mean, PR welcome!) it would be a great addition there's also some basic scripts here https://github.com/mozilla-iam/federated_access_proxy/tree/m...

kevin_nisbet
I don't see a link to the repository if we wanted to submit a PR.

Also might be worth mentioning that there is some alternative tooling to deliver multi-factor / single sign on and short lived certificates to SSH like teleport: https://github.com/gravitational/teleport

Disclaimer: I work for Gravitational, the company behind teleport