[ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Clemens Gruber]

SSH1 config options were removed and a variety of more secure defaults
chosen, inspired by the Debian preinit script and their sshd_config.
Users can now add other HostKeys to the sshd_config and the openssh
rc.once.d script will automatically generate the necessary keys.
I also added an option to show the randomart representation of the key
to the user.

In the sshd_config, all SSH1 related settings were removed and some
important options were explicitly enabled.
TCPKeepAlive was disabled as it is easily spoofable and a better
alternative does exist (ClientAliveInterval).
The sandbox mechanism (using seccomp) is used, if available.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 projectroot/etc/rc.once.d/openssh | 69 ++++++++++++++++++++++------------
 projectroot/etc/ssh/sshd_config   | 79 ++++++++++++++-------------------------
 2 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..df5f667 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -2,32 +2,55 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
-	OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
-	OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
-	key_type=$1
-	key_file=$2
-
-	rm -f $key_file > /dev/null 2>&1
-
-	echo -n "generating $key_type key..."
-	ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+	[ -f /etc/ssh/sshd_config ] || return
+	grep "^HostKey" /etc/ssh/sshd_config | sed "s/^HostKey //g"
+}
 
-	if [ "$?" = "0" ]; then
-		echo "done"
+host_keys_required() {
+	hostkeys="$(get_hostkeys)"
+	if [ "$hostkeys" ]; then
+		echo "$hostkeys"
 	else
-		echo "failed"
-		exit 1
+		# No HostKey directives found, so we pick some defaults
+		echo /etc/ssh/ssh_host_ed25519_key
+		echo /etc/ssh/ssh_host_rsa_key
 	fi
 }
 
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+	msg="$1"
+	shift
+	hostkeys="$1"
+	shift
+	file="$1"
+	shift
+
+	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+	   [ ! -f "$file" ] ; then
+		echo -n $msg
+		rm -f $file > /dev/null 2>&1
+		ssh-keygen -q -f "$file" -N '' "$@"
+		echo
+		if which restorecon >/dev/null 2>&1; then
+			restorecon "$file" "$file.pub"
+		fi
+		ssh-keygen -lv -f "$file.pub"
+	fi
+}
+
+create_keys() {
+	hostkeys="$(host_keys_required)"
+
+	create_key "Creating DSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+	create_key "Creating ECDSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+	create_key "Creating ED25519 key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+	create_key "Creating RSA key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+}
+
+create_keys
 
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..c637aa1 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,30 @@
-#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
-# default value.
+# OpenSSH server system-wide configuration
+# See the sshd_config manpage for details
 
 Port 22
-Protocol 2
-#AddressFamily any
-#ListenAddress 0.0.0.0
 #ListenAddress ::
+#ListenAddress 0.0.0.0
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# HostKeys
+HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
-# Authentication:
-
-#LoginGraceTime 2m
+# Authentication
+LoginGraceTime 1m
 PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
+StrictModes yes
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -63,7 +40,6 @@ PermitRootLogin yes
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
-#KerberosGetAFSToken no
 
 # GSSAPI options
 #GSSAPIAuthentication no
@@ -79,27 +55,28 @@ PermitRootLogin yes
 # ChallengeResponseAuthentication=no
 #UsePAM no
 
-#AllowTcpForwarding yes
-#GatewayPorts no
+# Privilege separation is turned on for increased security
+UsePrivilegeSeparation sandbox
+
+# Compression is delayed until the user has authenticated
+Compression delayed
+
+# TCPKeepAlive is spoofable, use ClientAliveInterval instead
+TCPKeepAlive no
+# Disconnect clients after not responding over the encrypted channel for 3 min.
+ClientAliveInterval 60
+ClientAliveCountMax 3
+
 #X11Forwarding no
 #X11DisplayOffset 10
-#X11UseLocalhost yes
 #PrintMotd yes
 #PrintLastLog yes
-#TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
+
+#MaxStartups 10:30:60
+#Banner /etc/issue
+
+# Allow clients to pass locale environment variables
+#AcceptEnv LANG LC_*
+
 Subsystem	sftp	/usr/sbin/sftp-server
-- 
2.4.6


-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Michael Olbrich]

On Fri, Jul 17, 2015 at 11:54:51PM +0200, Clemens Gruber wrote:
> SSH1 config options were removed and a variety of more secure defaults
> chosen, inspired by the Debian preinit script and their sshd_config.
> Users can now add other HostKeys to the sshd_config and the openssh
> rc.once.d script will automatically generate the necessary keys.
> I also added an option to show the randomart representation of the key
> to the user.
> 
> In the sshd_config, all SSH1 related settings were removed and some
> important options were explicitly enabled.
> TCPKeepAlive was disabled as it is easily spoofable and a better
> alternative does exist (ClientAliveInterval).
> The sandbox mechanism (using seccomp) is used, if available.


I've played with this a bit, but unfortunately I didn't have the time to
push this forward. And today is my last day before my summer vacation. I
won't even read the mailing list for the next weeks.
I've attached my current version of /etc/rc.once.d/openssh. Please take a
look if that's ok for you too.
Also, can you base projectroot/etc/ssh/sshd_config on the latest example
installed by openssh (.../packages/openssh-6.9p1/etc/ssh/sshd_config), that
will make the actual changes more obvious.

Michael


> Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
> ---
>  projectroot/etc/rc.once.d/openssh | 69 ++++++++++++++++++++++------------
>  projectroot/etc/ssh/sshd_config   | 79 ++++++++++++++-------------------------
>  2 files changed, 74 insertions(+), 74 deletions(-)
> 
> diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
> index 83e6e37..df5f667 100644
> --- a/projectroot/etc/rc.once.d/openssh
> +++ b/projectroot/etc/rc.once.d/openssh
> @@ -2,32 +2,55 @@
>  
>  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  
> -OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
> -OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
> -
> -test -n "$OPENSSH_RSAKEY" || \
> -	OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
> -test -n "$OPENSSH_DSAKEY" || \
> -	OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
> -
> -gen_key() {
> -
> -	key_type=$1
> -	key_file=$2
> -
> -	rm -f $key_file > /dev/null 2>&1
> -
> -	echo -n "generating $key_type key..."
> -	ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
> +get_hostkeys() {
> +	[ -f /etc/ssh/sshd_config ] || return
> +	grep "^HostKey" /etc/ssh/sshd_config | sed "s/^HostKey //g"
> +}
>  
> -	if [ "$?" = "0" ]; then
> -		echo "done"
> +host_keys_required() {
> +	hostkeys="$(get_hostkeys)"
> +	if [ "$hostkeys" ]; then
> +		echo "$hostkeys"
>  	else
> -		echo "failed"
> -		exit 1
> +		# No HostKey directives found, so we pick some defaults
> +		echo /etc/ssh/ssh_host_ed25519_key
> +		echo /etc/ssh/ssh_host_rsa_key
>  	fi
>  }
>  
> -gen_key rsa "$OPENSSH_RSAKEY"
> -gen_key dsa "$OPENSSH_DSAKEY"
> +create_key() {
> +	msg="$1"
> +	shift
> +	hostkeys="$1"
> +	shift
> +	file="$1"
> +	shift
> +
> +	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
> +	   [ ! -f "$file" ] ; then
> +		echo -n $msg
> +		rm -f $file > /dev/null 2>&1
> +		ssh-keygen -q -f "$file" -N '' "$@"
> +		echo
> +		if which restorecon >/dev/null 2>&1; then
> +			restorecon "$file" "$file.pub"
> +		fi
> +		ssh-keygen -lv -f "$file.pub"
> +	fi
> +}
> +
> +create_keys() {
> +	hostkeys="$(host_keys_required)"
> +
> +	create_key "Creating DSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
> +	create_key "Creating ECDSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
> +	create_key "Creating ED25519 key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
> +	create_key "Creating RSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
> +}
> +
> +create_keys
>  
> diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
> index 7cd7897..c637aa1 100644
> --- a/projectroot/etc/ssh/sshd_config
> +++ b/projectroot/etc/ssh/sshd_config
> @@ -1,53 +1,30 @@
> -#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
> -
> -# This is the sshd server system-wide configuration file.  See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented.  Uncommented options change a
> -# default value.
> +# OpenSSH server system-wide configuration
> +# See the sshd_config manpage for details
>  
>  Port 22
> -Protocol 2
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
>  #ListenAddress ::
> +#ListenAddress 0.0.0.0
>  
> -# HostKey for protocol version 1
> -#HostKey /etc/ssh/ssh_host_key
> -# HostKeys for protocol version 2
> +# HostKeys
> +HostKey /etc/ssh/ssh_host_ed25519_key
>  HostKey /etc/ssh/ssh_host_rsa_key
> -HostKey /etc/ssh/ssh_host_dsa_key
> -
> -# Lifetime and size of ephemeral version 1 server key
> -#KeyRegenerationInterval 1h
> -#ServerKeyBits 768
>  
>  # Logging
> -# obsoletes QuietMode and FascistLogging
>  #SyslogFacility AUTH
>  #LogLevel INFO
>  
> -# Authentication:
> -
> -#LoginGraceTime 2m
> +# Authentication
> +LoginGraceTime 1m
>  PermitRootLogin yes
> -#StrictModes yes
> -#MaxAuthTries 6
> +StrictModes yes
>  
> -#RSAAuthentication yes
>  #PubkeyAuthentication yes
>  #AuthorizedKeysFile	.ssh/authorized_keys
>  
>  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#RhostsRSAAuthentication no
> -# similar for protocol version 2
>  #HostbasedAuthentication no
>  # Change to yes if you don't trust ~/.ssh/known_hosts for
> -# RhostsRSAAuthentication and HostbasedAuthentication
> +# HostbasedAuthentication
>  #IgnoreUserKnownHosts no
>  # Don't read the user's ~/.rhosts and ~/.shosts files
>  #IgnoreRhosts yes
> @@ -63,7 +40,6 @@ PermitRootLogin yes
>  #KerberosAuthentication no
>  #KerberosOrLocalPasswd yes
>  #KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
>  
>  # GSSAPI options
>  #GSSAPIAuthentication no
> @@ -79,27 +55,28 @@ PermitRootLogin yes
>  # ChallengeResponseAuthentication=no
>  #UsePAM no
>  
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> +# Privilege separation is turned on for increased security
> +UsePrivilegeSeparation sandbox
> +
> +# Compression is delayed until the user has authenticated
> +Compression delayed
> +
> +# TCPKeepAlive is spoofable, use ClientAliveInterval instead
> +TCPKeepAlive no
> +# Disconnect clients after not responding over the encrypted channel for 3 min.
> +ClientAliveInterval 60
> +ClientAliveCountMax 3
> +
>  #X11Forwarding no
>  #X11DisplayOffset 10
> -#X11UseLocalhost yes
>  #PrintMotd yes
>  #PrintLastLog yes
> -#TCPKeepAlive yes
>  #UseLogin no
> -#UsePrivilegeSeparation yes
> -#PermitUserEnvironment no
> -#Compression delayed
> -#ClientAliveInterval 0
> -#ClientAliveCountMax 3
> -#UseDNS yes
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10
> -#PermitTunnel no
> -
> -# no default banner path
> -#Banner /some/path
> -
> -# override default of no subsystems
> +
> +#MaxStartups 10:30:60
> +#Banner /etc/issue
> +
> +# Allow clients to pass locale environment variables
> +#AcceptEnv LANG LC_*
> +
>  Subsystem	sftp	/usr/sbin/sftp-server
> -- 
> 2.4.6
> 
> 
> -- 
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Michael Olbrich]

[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]

On Fri, Aug 07, 2015 at 12:13:23PM +0200, Michael Olbrich wrote:
> On Fri, Jul 17, 2015 at 11:54:51PM +0200, Clemens Gruber wrote:
> > SSH1 config options were removed and a variety of more secure defaults
> > chosen, inspired by the Debian preinit script and their sshd_config.
> > Users can now add other HostKeys to the sshd_config and the openssh
> > rc.once.d script will automatically generate the necessary keys.
> > I also added an option to show the randomart representation of the key
> > to the user.
> > 
> > In the sshd_config, all SSH1 related settings were removed and some
> > important options were explicitly enabled.
> > TCPKeepAlive was disabled as it is easily spoofable and a better
> > alternative does exist (ClientAliveInterval).
> > The sandbox mechanism (using seccomp) is used, if available.
> 
> 
> I've played with this a bit, but unfortunately I didn't have the time to
> push this forward. And today is my last day before my summer vacation. I
> won't even read the mailing list for the next weeks.
> I've attached my current version of /etc/rc.once.d/openssh. Please take a
> look if that's ok for you too.

Forgot the attachment...

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: openssh --]
[-- Type: text/plain, Size: 1151 bytes --]

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

get_hostkeys() {
	[ -f /etc/ssh/sshd_config ] || return
	sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
}

host_keys_required() {
	hostkeys="$(get_hostkeys)"
	if [ "$hostkeys" ]; then
		echo "$hostkeys"
	else
		# No HostKey directives found, so we pick some defaults
		echo /etc/ssh/ssh_host_ed25519_key
		echo /etc/ssh/ssh_host_rsa_key
	fi
}

create_key() {
	msg="$1"
	shift
	hostkeys="$1"
	shift
	file="$1"
	shift

	if echo "$hostkeys" | grep -x "$file" >/dev/null; then
		echo "$msg; this may take some time ..."
		rm -f $file &&
		ssh-keygen -q -f "$file" -N '' "$@" || return
		echo "$msg; done."
	fi
}

create_keys() {
	hostkeys="$(host_keys_required)"

	create_key "Creating DSA key" \
		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
	create_key "Creating ECDSA key" \
		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
	create_key "Creating ED25519 key" \
		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
	create_key "Creating RSA key" \
		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
}

if ! create_keys; then
	echo "Generating SSH keys failed!"
	exit 1
fi

[-- Attachment #3: Type: text/plain, Size: 48 bytes --]

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Clemens Gruber]

Hi Michael,

On Fri, Aug 07, 2015 at 12:45:48PM +0200, Michael Olbrich wrote:
> Forgot the attachment...
> 
> Michael
> 
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

> #!/bin/sh
> 
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
> 
> get_hostkeys() {
> 	[ -f /etc/ssh/sshd_config ] || return
> 	sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
> }
> 
> host_keys_required() {
> 	hostkeys="$(get_hostkeys)"
> 	if [ "$hostkeys" ]; then
> 		echo "$hostkeys"
> 	else
> 		# No HostKey directives found, so we pick some defaults
> 		echo /etc/ssh/ssh_host_ed25519_key
> 		echo /etc/ssh/ssh_host_rsa_key
> 	fi
> }
> 
> create_key() {
> 	msg="$1"
> 	shift
> 	hostkeys="$1"
> 	shift
> 	file="$1"
> 	shift
> 
> 	if echo "$hostkeys" | grep -x "$file" >/dev/null; then
> 		echo "$msg; this may take some time ..."
> 		rm -f $file &&
> 		ssh-keygen -q -f "$file" -N '' "$@" || return
> 		echo "$msg; done."
> 	fi
> }
> 
> create_keys() {
> 	hostkeys="$(host_keys_required)"
> 
> 	create_key "Creating DSA key" \
> 		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
> 	create_key "Creating ECDSA key" \
> 		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
> 	create_key "Creating ED25519 key" \
> 		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
> 	create_key "Creating RSA key" \
> 		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
> }
> 
> if ! create_keys; then
> 	echo "Generating SSH keys failed!"
> 	exit 1
> fi

Looks good to me. I'll rebase my changes on the new sshd_config, include your
rc.once.d changes and send a new patch!

Would you like the users of ptxdist master to test this in the meantime or do
you prefer merging it after your vacation?

Happy holidays! 

Clemens

-- 
ptxdist mailing list
ptxdist@pengutronix.de