* [ptxdist] [PATCH] openssh: harden security options and host keys
@ 2015-11-02 20:10 Clemens Gruber
0 siblings, 0 replies; only message in thread
From: Clemens Gruber @ 2015-11-02 20:10 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
The rc.once.d script generates the host keys which are enabled in
the ssd_config file.
Ed25519 and RSA are the default host key signature algorithms as
both do not solely rely upon good entropy sources.
DSA and ECDSA are not recommended on embedded systems.
The SSH configuration is hardened: Enabled sandboxing, reduced
login grace time, strict mode, etc.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
projectroot/etc/rc.once.d/openssh | 68 ++++++++++++++++++----------
projectroot/etc/ssh/sshd_config | 95 ++++++++++++++++++++++-----------------
2 files changed, 97 insertions(+), 66 deletions(-)
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..6ed3b23 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -1,33 +1,53 @@
#!/bin/sh
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
- OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
- OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
- key_type=$1
- key_file=$2
-
- rm -f $key_file > /dev/null 2>&1
-
- echo -n "generating $key_type key..."
- ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+ [ -f /etc/ssh/sshd_config ] || return
+ sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
+}
- if [ "$?" = "0" ]; then
- echo "done"
+host_keys_required() {
+ hostkeys="$(get_hostkeys)"
+ if [ "$hostkeys" ]; then
+ echo "$hostkeys"
else
- echo "failed"
- exit 1
+ # No HostKey directives found, so we pick secure defaults
+ echo /etc/ssh/ssh_host_ed25519_key
+ echo /etc/ssh/ssh_host_rsa_key
fi
}
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+ msg="$1"
+ shift
+ hostkeys="$1"
+ shift
+ file="$1"
+ shift
+
+ if echo "$hostkeys" | grep -x "$file" >/dev/null; then
+ echo "$msg; this may take some time ..."
+ rm -f $file &&
+ ssh-keygen -q -f "$file" -N '' "$@" || return
+ echo "$msg; done."
+ fi
+}
+
+create_keys() {
+ hostkeys="$(host_keys_required)"
+
+ create_key "Creating DSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
+ create_key "Creating ECDSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
+ create_key "Creating ED25519 key" \
+ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
+ create_key "Creating RSA key" \
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+}
+if ! create_keys; then
+ echo "Generating SSH keys failed!"
+ exit 1
+fi
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..1357c68 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,52 @@
-# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This is the sshd server system-wide configuration file.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
# default value.
+# Alternative options which are not on by default are commented out with ##.
+
+# Note: Only SSH protocol version 2 is supported.
-Port 22
-Protocol 2
+#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
+# DSA and ECDSA host keys (Not recommended)
+##HostKey /etc/ssh/ssh_host_dsa_key
+##HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Ciphers and keying
+#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
-
-#LoginGraceTime 2m
+LoginGraceTime 1m
PermitRootLogin yes
-#StrictModes yes
+StrictModes yes
#MaxAuthTries 6
+#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
-#AuthorizedKeysFile .ssh/authorized_keys
+
+AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -68,38 +67,50 @@ PermitRootLogin yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication mechanism.
-# Depending on your PAM configuration, this may bypass the setting of
-# PasswordAuthentication, PermitEmptyPasswords, and
-# "PermitRootLogin without-password". If you just want the PAM account and
-# session checks to run without PAM authentication, then enable this but set
-# ChallengeResponseAuthentication=no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
+#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+MaxStartups 10:30:60
#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem sftp /usr/sbin/sftp-server
+#ChrootDirectory none
+#VersionAddendum none
+#Banner none
+
+# Disable TCPKeepAlive to prevent TCP spoofing attacks. It is replaced by
+# ClientAliveInterval, which sends a null packet every 60 seconds over the
+# encrypted channel. Unresponsive clients are disconnected after 3 minutes.
+##TCPKeepAlive no
+##ClientAliveInterval 60
+##ClientAliveCountMax 3
+
+# Enable the SSH File Transfer Protocol
+Subsystem sftp /usr/libexec/sftp-server
--
2.6.2
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-11-02 20:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-02 20:10 [ptxdist] [PATCH] openssh: harden security options and host keys Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox