Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config

[Michael Olbrich <m.olbrich@pengutronix.de>]

[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]

On Fri, Aug 07, 2015 at 12:13:23PM +0200, Michael Olbrich wrote:
> On Fri, Jul 17, 2015 at 11:54:51PM +0200, Clemens Gruber wrote:
> > SSH1 config options were removed and a variety of more secure defaults
> > chosen, inspired by the Debian preinit script and their sshd_config.
> > Users can now add other HostKeys to the sshd_config and the openssh
> > rc.once.d script will automatically generate the necessary keys.
> > I also added an option to show the randomart representation of the key
> > to the user.
> > 
> > In the sshd_config, all SSH1 related settings were removed and some
> > important options were explicitly enabled.
> > TCPKeepAlive was disabled as it is easily spoofable and a better
> > alternative does exist (ClientAliveInterval).
> > The sandbox mechanism (using seccomp) is used, if available.
> 
> 
> I've played with this a bit, but unfortunately I didn't have the time to
> push this forward. And today is my last day before my summer vacation. I
> won't even read the mailing list for the next weeks.
> I've attached my current version of /etc/rc.once.d/openssh. Please take a
> look if that's ok for you too.

Forgot the attachment...

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: openssh --]
[-- Type: text/plain, Size: 1151 bytes --]

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

get_hostkeys() {
	[ -f /etc/ssh/sshd_config ] || return
	sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config
}

host_keys_required() {
	hostkeys="$(get_hostkeys)"
	if [ "$hostkeys" ]; then
		echo "$hostkeys"
	else
		# No HostKey directives found, so we pick some defaults
		echo /etc/ssh/ssh_host_ed25519_key
		echo /etc/ssh/ssh_host_rsa_key
	fi
}

create_key() {
	msg="$1"
	shift
	hostkeys="$1"
	shift
	file="$1"
	shift

	if echo "$hostkeys" | grep -x "$file" >/dev/null; then
		echo "$msg; this may take some time ..."
		rm -f $file &&
		ssh-keygen -q -f "$file" -N '' "$@" || return
		echo "$msg; done."
	fi
}

create_keys() {
	hostkeys="$(host_keys_required)"

	create_key "Creating DSA key" \
		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa &&
	create_key "Creating ECDSA key" \
		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa &&
	create_key "Creating ED25519 key" \
		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 &&
	create_key "Creating RSA key" \
		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
}

if ! create_keys; then
	echo "Generating SSH keys failed!"
	exit 1
fi

[-- Attachment #3: Type: text/plain, Size: 48 bytes --]

-- 
ptxdist mailing list
ptxdist@pengutronix.de