mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Michael Olbrich <m.olbrich@pengutronix.de>,
	Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH v2] openssh: improve rc.once.d script and harden sshd_config
Date: Fri,  7 Aug 2015 13:12:08 +0200	[thread overview]
Message-ID: <1438945928-10439-1-git-send-email-clemens.gruber@pqgruber.com> (raw)

SSH1 config options were removed and a variety of more secure defaults
chosen, inspired by the Debian preinit script and their sshd_config.
Users can now add other HostKeys to the sshd_config and the openssh
rc.once.d script will automatically generate the necessary keys.

In the sshd_config, all SSH1 related settings were removed and some
important options were explicitly enabled.
TCPKeepAlive was disabled as it is easily spoofable and a better
alternative does exist (ClientAliveInterval).
The sandbox mechanism, relying on seccomp, is used if available.

I also took some commented-out options from Debian as they may be useful
for many users but it is not advisable to enable them in general. (e.g.
AcceptEnv)

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Changes in v2:
- Rebased
- Use improved openssh rc.once.d script from Michael Olbrich

---
 projectroot/etc/rc.once.d/openssh | 68 +++++++++++++++++++++------------
 projectroot/etc/ssh/sshd_config   | 79 ++++++++++++++-------------------------
 2 files changed, 72 insertions(+), 75 deletions(-)

diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..edfce5f 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -1,33 +1,53 @@
 #!/bin/sh
 
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
-	OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
-	OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
-	key_type=$1
-	key_file=$2
-
-	rm -f $key_file > /dev/null 2>&1
-
-	echo -n "generating $key_type key..."
-	ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+	[ -f /etc/ssh/sshd_config ] || return
+	sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
+}
 
-	if [ "$?" = "0" ]; then
-		echo "done"
+host_keys_required() {
+	hostkeys="$(get_hostkeys)"
+	if [ "$hostkeys" ]; then
+		echo "$hostkeys"
 	else
-		echo "failed"
-		exit 1
+		# No HostKey directives found, so we pick some defaults
+		echo /etc/ssh/ssh_host_ed25519_key
+		echo /etc/ssh/ssh_host_rsa_key
 	fi
 }
 
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+	msg="$1"
+	shift
+	hostkeys="$1"
+	shift
+	file="$1"
+	shift
+
+	if echo "$hostkeys" | grep -x "$file" >/dev/null; then
+		echo "$msg; this may take some time ..."
+		rm -f $file &&
+		ssh-keygen -q -f "$file" -N '' "$@" || return
+		echo "$msg; done."
+	fi
+}
+
+create_keys() {
+	hostkeys="$(host_keys_required)"
+
+	create_key "Creating DSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
+	create_key "Creating ECDSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
+	create_key "Creating ED25519 key" \
+		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
+	create_key "Creating RSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
+}
 
+if ! create_keys; then
+	echo "Generating SSH keys failed!"
+	exit 1
+fi
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..c637aa1 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,30 @@
-#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
-# default value.
+# OpenSSH server system-wide configuration
+# See the sshd_config manpage for details
 
 Port 22
-Protocol 2
-#AddressFamily any
-#ListenAddress 0.0.0.0
 #ListenAddress ::
+#ListenAddress 0.0.0.0
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# HostKeys
+HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
-# Authentication:
-
-#LoginGraceTime 2m
+# Authentication
+LoginGraceTime 1m
 PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
+StrictModes yes
 
-#RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -63,7 +40,6 @@ PermitRootLogin yes
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
-#KerberosGetAFSToken no
 
 # GSSAPI options
 #GSSAPIAuthentication no
@@ -79,27 +55,28 @@ PermitRootLogin yes
 # ChallengeResponseAuthentication=no
 #UsePAM no
 
-#AllowTcpForwarding yes
-#GatewayPorts no
+# Privilege separation is turned on for increased security
+UsePrivilegeSeparation sandbox
+
+# Compression is delayed until the user has authenticated
+Compression delayed
+
+# TCPKeepAlive is spoofable, use ClientAliveInterval instead
+TCPKeepAlive no
+# Disconnect clients after not responding over the encrypted channel for 3 min.
+ClientAliveInterval 60
+ClientAliveCountMax 3
+
 #X11Forwarding no
 #X11DisplayOffset 10
-#X11UseLocalhost yes
 #PrintMotd yes
 #PrintLastLog yes
-#TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
+
+#MaxStartups 10:30:60
+#Banner /etc/issue
+
+# Allow clients to pass locale environment variables
+#AcceptEnv LANG LC_*
+
 Subsystem	sftp	/usr/sbin/sftp-server
-- 
2.5.0


-- 
ptxdist mailing list
ptxdist@pengutronix.de

                 reply	other threads:[~2015-08-07 11:12 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1438945928-10439-1-git-send-email-clemens.gruber@pqgruber.com \
    --to=clemens.gruber@pqgruber.com \
    --cc=m.olbrich@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox