From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0] ident=Debian-exim) by metis.ext.pengutronix.de with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1ZNf9p-0006um-AK for ptxdist@pengutronix.de; Fri, 07 Aug 2015 12:45:49 +0200 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1ZNf9o-00075X-Tf for ptxdist@pengutronix.de; Fri, 07 Aug 2015 12:45:48 +0200 Date: Fri, 7 Aug 2015 12:45:48 +0200 From: Michael Olbrich Message-ID: <20150807104548.GA24388@pengutronix.de> References: <1437170091-7429-1-git-send-email-clemens.gruber@pqgruber.com> <20150807101323.GK18141@pengutronix.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline In-Reply-To: <20150807101323.GK18141@pengutronix.de> Subject: Re: [ptxdist] [PATCH] openssh: improve rc.once.d script and harden sshd_config List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Aug 07, 2015 at 12:13:23PM +0200, Michael Olbrich wrote: > On Fri, Jul 17, 2015 at 11:54:51PM +0200, Clemens Gruber wrote: > > SSH1 config options were removed and a variety of more secure defaults > > chosen, inspired by the Debian preinit script and their sshd_config. > > Users can now add other HostKeys to the sshd_config and the openssh > > rc.once.d script will automatically generate the necessary keys. > > I also added an option to show the randomart representation of the key > > to the user. > > > > In the sshd_config, all SSH1 related settings were removed and some > > important options were explicitly enabled. > > TCPKeepAlive was disabled as it is easily spoofable and a better > > alternative does exist (ClientAliveInterval). > > The sandbox mechanism (using seccomp) is used, if available. > > > I've played with this a bit, but unfortunately I didn't have the time to > push this forward. And today is my last day before my summer vacation. I > won't even read the mailing list for the next weeks. > I've attached my current version of /etc/rc.once.d/openssh. Please take a > look if that's ok for you too. Forgot the attachment... Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=openssh #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin get_hostkeys() { [ -f /etc/ssh/sshd_config ] || return sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config } host_keys_required() { hostkeys="$(get_hostkeys)" if [ "$hostkeys" ]; then echo "$hostkeys" else # No HostKey directives found, so we pick some defaults echo /etc/ssh/ssh_host_ed25519_key echo /etc/ssh/ssh_host_rsa_key fi } create_key() { msg="$1" shift hostkeys="$1" shift file="$1" shift if echo "$hostkeys" | grep -x "$file" >/dev/null; then echo "$msg; this may take some time ..." rm -f $file && ssh-keygen -q -f "$file" -N '' "$@" || return echo "$msg; done." fi } create_keys() { hostkeys="$(host_keys_required)" create_key "Creating DSA key" \ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa && create_key "Creating ECDSA key" \ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa && create_key "Creating ED25519 key" \ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 && create_key "Creating RSA key" \ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 } if ! create_keys; then echo "Generating SSH keys failed!" exit 1 fi --OgqxwSJOaUobr8KG Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline LS0gCnB0eGRpc3QgbWFpbGluZyBsaXN0CnB0eGRpc3RAcGVuZ3V0cm9uaXguZGUK --OgqxwSJOaUobr8KG--