From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config
Date: Fri, 17 Jul 2015 23:54:51 +0200 [thread overview]
Message-ID: <1437170091-7429-1-git-send-email-clemens.gruber@pqgruber.com> (raw)
SSH1 config options were removed and a variety of more secure defaults
chosen, inspired by the Debian preinit script and their sshd_config.
Users can now add other HostKeys to the sshd_config and the openssh
rc.once.d script will automatically generate the necessary keys.
I also added an option to show the randomart representation of the key
to the user.
In the sshd_config, all SSH1 related settings were removed and some
important options were explicitly enabled.
TCPKeepAlive was disabled as it is easily spoofable and a better
alternative does exist (ClientAliveInterval).
The sandbox mechanism (using seccomp) is used, if available.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
projectroot/etc/rc.once.d/openssh | 69 ++++++++++++++++++++++------------
projectroot/etc/ssh/sshd_config | 79 ++++++++++++++-------------------------
2 files changed, 74 insertions(+), 74 deletions(-)
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..df5f667 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -2,32 +2,55 @@
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
- OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
- OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
- key_type=$1
- key_file=$2
-
- rm -f $key_file > /dev/null 2>&1
-
- echo -n "generating $key_type key..."
- ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+ [ -f /etc/ssh/sshd_config ] || return
+ grep "^HostKey" /etc/ssh/sshd_config | sed "s/^HostKey //g"
+}
- if [ "$?" = "0" ]; then
- echo "done"
+host_keys_required() {
+ hostkeys="$(get_hostkeys)"
+ if [ "$hostkeys" ]; then
+ echo "$hostkeys"
else
- echo "failed"
- exit 1
+ # No HostKey directives found, so we pick some defaults
+ echo /etc/ssh/ssh_host_ed25519_key
+ echo /etc/ssh/ssh_host_rsa_key
fi
}
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+ msg="$1"
+ shift
+ hostkeys="$1"
+ shift
+ file="$1"
+ shift
+
+ if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+ [ ! -f "$file" ] ; then
+ echo -n $msg
+ rm -f $file > /dev/null 2>&1
+ ssh-keygen -q -f "$file" -N '' "$@"
+ echo
+ if which restorecon >/dev/null 2>&1; then
+ restorecon "$file" "$file.pub"
+ fi
+ ssh-keygen -lv -f "$file.pub"
+ fi
+}
+
+create_keys() {
+ hostkeys="$(host_keys_required)"
+
+ create_key "Creating DSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+ create_key "Creating ECDSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+ create_key "Creating ED25519 key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+ create_key "Creating RSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+}
+
+create_keys
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..c637aa1 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,30 @@
-# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.
+# OpenSSH server system-wide configuration
+# See the sshd_config manpage for details
Port 22
-Protocol 2
-#AddressFamily any
-#ListenAddress 0.0.0.0
#ListenAddress ::
+#ListenAddress 0.0.0.0
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# HostKeys
+HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
-# Authentication:
-
-#LoginGraceTime 2m
+# Authentication
+LoginGraceTime 1m
PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
+StrictModes yes
-#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -63,7 +40,6 @@ PermitRootLogin yes
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
@@ -79,27 +55,28 @@ PermitRootLogin yes
# ChallengeResponseAuthentication=no
#UsePAM no
-#AllowTcpForwarding yes
-#GatewayPorts no
+# Privilege separation is turned on for increased security
+UsePrivilegeSeparation sandbox
+
+# Compression is delayed until the user has authenticated
+Compression delayed
+
+# TCPKeepAlive is spoofable, use ClientAliveInterval instead
+TCPKeepAlive no
+# Disconnect clients after not responding over the encrypted channel for 3 min.
+ClientAliveInterval 60
+ClientAliveCountMax 3
+
#X11Forwarding no
#X11DisplayOffset 10
-#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
-#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
+
+#MaxStartups 10:30:60
+#Banner /etc/issue
+
+# Allow clients to pass locale environment variables
+#AcceptEnv LANG LC_*
+
Subsystem sftp /usr/sbin/sftp-server
--
2.4.6
--
ptxdist mailing list
ptxdist@pengutronix.de
next reply other threads:[~2015-07-17 19:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-17 21:54 Clemens Gruber [this message]
2015-08-07 10:13 ` Michael Olbrich
2015-08-07 10:45 ` Michael Olbrich
2015-08-07 10:55 ` Clemens Gruber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1437170091-7429-1-git-send-email-clemens.gruber@pqgruber.com \
--to=clemens.gruber@pqgruber.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox