Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Fri, Jul 17, 2015 at 11:54:51PM +0200, Clemens Gruber wrote:
> SSH1 config options were removed and a variety of more secure defaults
> chosen, inspired by the Debian preinit script and their sshd_config.
> Users can now add other HostKeys to the sshd_config and the openssh
> rc.once.d script will automatically generate the necessary keys.
> I also added an option to show the randomart representation of the key
> to the user.
> 
> In the sshd_config, all SSH1 related settings were removed and some
> important options were explicitly enabled.
> TCPKeepAlive was disabled as it is easily spoofable and a better
> alternative does exist (ClientAliveInterval).
> The sandbox mechanism (using seccomp) is used, if available.


I've played with this a bit, but unfortunately I didn't have the time to
push this forward. And today is my last day before my summer vacation. I
won't even read the mailing list for the next weeks.
I've attached my current version of /etc/rc.once.d/openssh. Please take a
look if that's ok for you too.
Also, can you base projectroot/etc/ssh/sshd_config on the latest example
installed by openssh (.../packages/openssh-6.9p1/etc/ssh/sshd_config), that
will make the actual changes more obvious.

Michael


> Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
> ---
>  projectroot/etc/rc.once.d/openssh | 69 ++++++++++++++++++++++------------
>  projectroot/etc/ssh/sshd_config   | 79 ++++++++++++++-------------------------
>  2 files changed, 74 insertions(+), 74 deletions(-)
> 
> diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh
> index 83e6e37..df5f667 100644
> --- a/projectroot/etc/rc.once.d/openssh
> +++ b/projectroot/etc/rc.once.d/openssh
> @@ -2,32 +2,55 @@
>  
>  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>  
> -OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key"
> -OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key"
> -
> -test -n "$OPENSSH_RSAKEY" || \
> -	OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT
> -test -n "$OPENSSH_DSAKEY" || \
> -	OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT
> -
> -gen_key() {
> -
> -	key_type=$1
> -	key_file=$2
> -
> -	rm -f $key_file > /dev/null 2>&1
> -
> -	echo -n "generating $key_type key..."
> -	ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1
> +get_hostkeys() {
> +	[ -f /etc/ssh/sshd_config ] || return
> +	grep "^HostKey" /etc/ssh/sshd_config | sed "s/^HostKey //g"
> +}
>  
> -	if [ "$?" = "0" ]; then
> -		echo "done"
> +host_keys_required() {
> +	hostkeys="$(get_hostkeys)"
> +	if [ "$hostkeys" ]; then
> +		echo "$hostkeys"
>  	else
> -		echo "failed"
> -		exit 1
> +		# No HostKey directives found, so we pick some defaults
> +		echo /etc/ssh/ssh_host_ed25519_key
> +		echo /etc/ssh/ssh_host_rsa_key
>  	fi
>  }
>  
> -gen_key rsa "$OPENSSH_RSAKEY"
> -gen_key dsa "$OPENSSH_DSAKEY"
> +create_key() {
> +	msg="$1"
> +	shift
> +	hostkeys="$1"
> +	shift
> +	file="$1"
> +	shift
> +
> +	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
> +	   [ ! -f "$file" ] ; then
> +		echo -n $msg
> +		rm -f $file > /dev/null 2>&1
> +		ssh-keygen -q -f "$file" -N '' "$@"
> +		echo
> +		if which restorecon >/dev/null 2>&1; then
> +			restorecon "$file" "$file.pub"
> +		fi
> +		ssh-keygen -lv -f "$file.pub"
> +	fi
> +}
> +
> +create_keys() {
> +	hostkeys="$(host_keys_required)"
> +
> +	create_key "Creating DSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
> +	create_key "Creating ECDSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
> +	create_key "Creating ED25519 key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
> +	create_key "Creating RSA key; this may take some time ..." \
> +		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
> +}
> +
> +create_keys
>  
> diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config
> index 7cd7897..c637aa1 100644
> --- a/projectroot/etc/ssh/sshd_config
> +++ b/projectroot/etc/ssh/sshd_config
> @@ -1,53 +1,30 @@
> -#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
> -
> -# This is the sshd server system-wide configuration file.  See
> -# sshd_config(5) for more information.
> -
> -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> -
> -# The strategy used for options in the default sshd_config shipped with
> -# OpenSSH is to specify options with their default value where
> -# possible, but leave them commented.  Uncommented options change a
> -# default value.
> +# OpenSSH server system-wide configuration
> +# See the sshd_config manpage for details
>  
>  Port 22
> -Protocol 2
> -#AddressFamily any
> -#ListenAddress 0.0.0.0
>  #ListenAddress ::
> +#ListenAddress 0.0.0.0
>  
> -# HostKey for protocol version 1
> -#HostKey /etc/ssh/ssh_host_key
> -# HostKeys for protocol version 2
> +# HostKeys
> +HostKey /etc/ssh/ssh_host_ed25519_key
>  HostKey /etc/ssh/ssh_host_rsa_key
> -HostKey /etc/ssh/ssh_host_dsa_key
> -
> -# Lifetime and size of ephemeral version 1 server key
> -#KeyRegenerationInterval 1h
> -#ServerKeyBits 768
>  
>  # Logging
> -# obsoletes QuietMode and FascistLogging
>  #SyslogFacility AUTH
>  #LogLevel INFO
>  
> -# Authentication:
> -
> -#LoginGraceTime 2m
> +# Authentication
> +LoginGraceTime 1m
>  PermitRootLogin yes
> -#StrictModes yes
> -#MaxAuthTries 6
> +StrictModes yes
>  
> -#RSAAuthentication yes
>  #PubkeyAuthentication yes
>  #AuthorizedKeysFile	.ssh/authorized_keys
>  
>  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> -#RhostsRSAAuthentication no
> -# similar for protocol version 2
>  #HostbasedAuthentication no
>  # Change to yes if you don't trust ~/.ssh/known_hosts for
> -# RhostsRSAAuthentication and HostbasedAuthentication
> +# HostbasedAuthentication
>  #IgnoreUserKnownHosts no
>  # Don't read the user's ~/.rhosts and ~/.shosts files
>  #IgnoreRhosts yes
> @@ -63,7 +40,6 @@ PermitRootLogin yes
>  #KerberosAuthentication no
>  #KerberosOrLocalPasswd yes
>  #KerberosTicketCleanup yes
> -#KerberosGetAFSToken no
>  
>  # GSSAPI options
>  #GSSAPIAuthentication no
> @@ -79,27 +55,28 @@ PermitRootLogin yes
>  # ChallengeResponseAuthentication=no
>  #UsePAM no
>  
> -#AllowTcpForwarding yes
> -#GatewayPorts no
> +# Privilege separation is turned on for increased security
> +UsePrivilegeSeparation sandbox
> +
> +# Compression is delayed until the user has authenticated
> +Compression delayed
> +
> +# TCPKeepAlive is spoofable, use ClientAliveInterval instead
> +TCPKeepAlive no
> +# Disconnect clients after not responding over the encrypted channel for 3 min.
> +ClientAliveInterval 60
> +ClientAliveCountMax 3
> +
>  #X11Forwarding no
>  #X11DisplayOffset 10
> -#X11UseLocalhost yes
>  #PrintMotd yes
>  #PrintLastLog yes
> -#TCPKeepAlive yes
>  #UseLogin no
> -#UsePrivilegeSeparation yes
> -#PermitUserEnvironment no
> -#Compression delayed
> -#ClientAliveInterval 0
> -#ClientAliveCountMax 3
> -#UseDNS yes
> -#PidFile /var/run/sshd.pid
> -#MaxStartups 10
> -#PermitTunnel no
> -
> -# no default banner path
> -#Banner /some/path
> -
> -# override default of no subsystems
> +
> +#MaxStartups 10:30:60
> +#Banner /etc/issue
> +
> +# Allow clients to pass locale environment variables
> +#AcceptEnv LANG LC_*
> +
>  Subsystem	sftp	/usr/sbin/sftp-server
> -- 
> 2.4.6
> 
> 
> -- 
> ptxdist mailing list
> ptxdist@pengutronix.de

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de