mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH v2] openssh: harden security options and host keys
Date: Mon,  2 Nov 2015 21:15:35 +0100	[thread overview]
Message-ID: <1446495335-22071-1-git-send-email-clemens.gruber@pqgruber.com> (raw)

The rc.once.d script generates the host keys which are enabled in
the ssd_config file.
Ed25519 and RSA are the default host key signature algorithms as
both do not solely rely upon good entropy sources.
DSA and ECDSA are not recommended on embedded systems.
The SSH configuration is hardened: Enabled sandboxing, reduced
login grace time, strict mode, etc.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Changes from v1:
Corrected a mistake in the sftp path.

---
 projectroot/etc/rc.once.d/openssh | 68 ++++++++++++++++++----------
 projectroot/etc/ssh/sshd_config   | 95 ++++++++++++++++++++++-----------------
 2 files changed, 97 insertions(+), 66 deletions(-)

diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
index 83e6e37..6ed3b23 100644
--- a/projectroot/etc/rc.once.d/openssh
+++ b/projectroot/etc/rc.once.d/openssh
@@ -1,33 +1,53 @@
 #!/bin/sh
 
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
 
-OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
-OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
-
-test -n "$OPENSSH_RSAKEY" || \
-	OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
-test -n "$OPENSSH_DSAKEY" || \
-	OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
-
-gen_key() {
-
-	key_type=$1
-	key_file=$2
-
-	rm -f $key_file > /dev/null 2>&1
-
-	echo -n "generating $key_type key..."
-	ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
+get_hostkeys() {
+	[ -f /etc/ssh/sshd_config ] || return
+	sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
+}
 
-	if [ "$?" = "0" ]; then
-		echo "done"
+host_keys_required() {
+	hostkeys="$(get_hostkeys)"
+	if [ "$hostkeys" ]; then
+		echo "$hostkeys"
 	else
-		echo "failed"
-		exit 1
+		# No HostKey directives found, so we pick secure defaults
+		echo /etc/ssh/ssh_host_ed25519_key
+		echo /etc/ssh/ssh_host_rsa_key
 	fi
 }
 
-gen_key rsa "$OPENSSH_RSAKEY"
-gen_key dsa "$OPENSSH_DSAKEY"
+create_key() {
+	msg="$1"
+	shift
+	hostkeys="$1"
+	shift
+	file="$1"
+	shift
+
+	if echo "$hostkeys" | grep -x "$file" >/dev/null; then
+		echo "$msg; this may take some time ..."
+		rm -f $file &&
+		ssh-keygen -q -f "$file" -N '' "$@" || return
+		echo "$msg; done."
+	fi
+}
+
+create_keys() {
+	hostkeys="$(host_keys_required)"
+
+	create_key "Creating DSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
+	create_key "Creating ECDSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
+	create_key "Creating ED25519 key" \
+		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
+	create_key "Creating RSA key" \
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+}
 
+if ! create_keys; then
+	echo "Generating SSH keys failed!"
+	exit 1
+fi
diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
index 7cd7897..80ce580 100644
--- a/projectroot/etc/ssh/sshd_config
+++ b/projectroot/etc/ssh/sshd_config
@@ -1,53 +1,52 @@
-#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This is the sshd server system-wide configuration file.
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
 # default value.
+# Alternative options which are not on by default are commented out with ##.
+
+# Note: Only SSH protocol version 2 is supported.
 
-Port 22
-Protocol 2
+#Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
+# Host keys
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
+# DSA and ECDSA host keys (Not recommended)
+##HostKey /etc/ssh/ssh_host_dsa_key
+##HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Ciphers and keying
+#RekeyLimit default none
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 
 # Authentication:
-
-#LoginGraceTime 2m
+LoginGraceTime 1m
 PermitRootLogin yes
-#StrictModes yes
+StrictModes yes
 #MaxAuthTries 6
+#MaxSessions 10
 
 #RSAAuthentication yes
 #PubkeyAuthentication yes
-#AuthorizedKeysFile	.ssh/authorized_keys
+
+AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+#AuthorizedPrincipalsFile none
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
@@ -68,38 +67,50 @@ PermitRootLogin yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing, 
-# and session processing. If this is enabled, PAM authentication will 
-# be allowed through the ChallengeResponseAuthentication mechanism. 
-# Depending on your PAM configuration, this may bypass the setting of 
-# PasswordAuthentication, PermitEmptyPasswords, and 
-# "PermitRootLogin without-password". If you just want the PAM account and 
-# session checks to run without PAM authentication, then enable this but set 
-# ChallengeResponseAuthentication=no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 
+#AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
+#PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
-#UseDNS yes
+#UseDNS no
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+MaxStartups 10:30:60
 #PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem	sftp	/usr/sbin/sftp-server
+#ChrootDirectory none
+#VersionAddendum none
+#Banner none
+
+# Disable TCPKeepAlive to prevent TCP spoofing attacks. It is replaced by
+# ClientAliveInterval, which sends a null packet every 60 seconds over the
+# encrypted channel. Unresponsive clients are disconnected after 3 minutes.
+##TCPKeepAlive no
+##ClientAliveInterval 60
+##ClientAliveCountMax 3
+
+# Enable the SSH File Transfer Protocol
+Subsystem sftp /usr/sbin/sftp-server
-- 
2.6.2


-- 
ptxdist mailing list
ptxdist@pengutronix.de

                 reply	other threads:[~2015-11-02 20:16 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1446495335-22071-1-git-send-email-clemens.gruber@pqgruber.com \
    --to=clemens.gruber@pqgruber.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox