* [ptxdist] [PATCH v2] openssh: improve rc.once.d script and harden sshd_config
@ 2015-08-07 11:12 Clemens Gruber
0 siblings, 0 replies; only message in thread
From: Clemens Gruber @ 2015-08-07 11:12 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Olbrich, Clemens Gruber
SSH1 config options were removed and a variety of more secure defaults
chosen, inspired by the Debian preinit script and their sshd_config.
Users can now add other HostKeys to the sshd_config and the openssh
rc.once.d script will automatically generate the necessary keys.
In the sshd_config, all SSH1 related settings were removed and some
important options were explicitly enabled.
TCPKeepAlive was disabled as it is easily spoofable and a better
alternative does exist (ClientAliveInterval).
The sandbox mechanism, relying on seccomp, is used if available.
I also took some commented-out options from Debian as they may be useful
for many users but it is not advisable to enable them in general. (e.g.
AcceptEnv)
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
Changes in v2:
- Rebased
- Use improved openssh rc.once.d script from Michael Olbrich
---
projectroot/etc/rc.once.d/openssh | 68 +++++++++++++++++++++------------
projectroot/etc/ssh/sshd_config | 79 ++++++++++++++-------------------------
2 files changed, 72 insertions(+), 75 deletions(-)
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..edfce5f 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -1,33 +1,53 @@
#!/bin/sh
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
- OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
- OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
- key_type=$1
- key_file=$2
-
- rm -f $key_file > /dev/null 2>&1
-
- echo -n "generating $key_type key..."
- ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+ [ -f /etc/ssh/sshd_config ] || return
+ sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
+}
- if [ "$?" = "0" ]; then
- echo "done"
+host_keys_required() {
+ hostkeys="$(get_hostkeys)"
+ if [ "$hostkeys" ]; then
+ echo "$hostkeys"
else
- echo "failed"
- exit 1
+ # No HostKey directives found, so we pick some defaults
+ echo /etc/ssh/ssh_host_ed25519_key
+ echo /etc/ssh/ssh_host_rsa_key
fi
}
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+ msg="$1"
+ shift
+ hostkeys="$1"
+ shift
+ file="$1"
+ shift
+
+ if echo "$hostkeys" | grep -x "$file" >/dev/null; then
+ echo "$msg; this may take some time ..."
+ rm -f $file &&
+ ssh-keygen -q -f "$file" -N '' "$@" || return
+ echo "$msg; done."
+ fi
+}
+
+create_keys() {
+ hostkeys="$(host_keys_required)"
+
+ create_key "Creating DSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
+ create_key "Creating ECDSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
+ create_key "Creating ED25519 key" \
+ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
+ create_key "Creating RSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
+}
+if ! create_keys; then
+ echo "Generating SSH keys failed!"
+ exit 1
+fi
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..c637aa1 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,30 @@
-# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.
+# OpenSSH server system-wide configuration
+# See the sshd_config manpage for details
Port 22
-Protocol 2
-#AddressFamily any
-#ListenAddress 0.0.0.0
#ListenAddress ::
+#ListenAddress 0.0.0.0
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# HostKeys
+HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
-# Authentication:
-
-#LoginGraceTime 2m
+# Authentication
+LoginGraceTime 1m
PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
+StrictModes yes
-#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -63,7 +40,6 @@ PermitRootLogin yes
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
@@ -79,27 +55,28 @@ PermitRootLogin yes
# ChallengeResponseAuthentication=no
#UsePAM no
-#AllowTcpForwarding yes
-#GatewayPorts no
+# Privilege separation is turned on for increased security
+UsePrivilegeSeparation sandbox
+
+# Compression is delayed until the user has authenticated
+Compression delayed
+
+# TCPKeepAlive is spoofable, use ClientAliveInterval instead
+TCPKeepAlive no
+# Disconnect clients after not responding over the encrypted channel for 3 min.
+ClientAliveInterval 60
+ClientAliveCountMax 3
+
#X11Forwarding no
#X11DisplayOffset 10
-#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
-#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
+
+#MaxStartups 10:30:60
+#Banner /etc/issue
+
+# Allow clients to pass locale environment variables
+#AcceptEnv LANG LC_*
+
Subsystem sftp /usr/sbin/sftp-server
--
2.5.0
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-08-07 11:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-07 11:12 [ptxdist] [PATCH v2] openssh: improve rc.once.d script and harden sshd_config Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox