Re: [PATCH] harden authentication and logging in OpenSSH server configuration

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 4723 bytes --]

Hello Michael,
> Hi,
> 
> I need more explanation to understand and accept this patch. You are very often
> just stating what you are doing but not why.
Okay, thanks for the hint.

The intention here is to solve all items listed at https://bugzilla.ipfire.org/show_bug.cgi?id=11538 .
Some of them are enabled by default already, as you mentioned below, but I do not
consider default values very stable and want to make sure the settings we/I wish
are really applied.

Since the item list in #11538 is quite mixed, I consider it a better idea to send
in a patch for each one so we can argue about each patch separately and the whole
thing does not break down because of one singe patch not being applied. :-)

By the way: There were some commits (updated NRPE, ca-certificates) you merged
the other day. Is there a reason why they are not showing up at Git? Sorry for
being impatient here.

Best regards,
Peter Müller

> 
> On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
>> Update some values in the OpenSSH server configuration at
>> /etc/ssh/sshd_config to secure values. Changes are also applied
>> on existing installations via update.sh script.
>>
>> This partly solves #11538 and performs these changes:
>> - never accept empty passwords for authentication
> 
> That was default. No change needed really.
> 
>> - make sure OpenSSH always logs properly
> 
> What went wrong before?
> 
>> - make sure permissions of .ssh/authorized_keys are checked (StrictModes)
> 
> ACK.
OK.
> 
>> - limit maximum concurring sessions to 5
> 
> ???
> 
>> - make sure custom rhosts files are always ignored
> 
> That was default as well
> 
>> - limit maximum authentication tries to 3
> 
> This is also default.
> 
>> The logging options were not applied during build correctly,
>> which is fixed now. Changes are not expected to break existing
>> systems.
> 
> Expected?
> 
> There is no need to stop the ssh daemon when running the update. That will cause
> that users who are running the update via SSH are losing their connection.
Thanks. Will include that in a second version of this patch.
> 
> A restart at the very end is sufficient.
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
>> ---
>>  config/rootfiles/core/121/update.sh | 12 ++++++++++++
>>  lfs/openssh                         |  9 +++++++--
>>  2 files changed, 19 insertions(+), 2 deletions(-)
>>
>> diff --git a/config/rootfiles/core/121/update.sh
>> b/config/rootfiles/core/121/update.sh
>> index 87d5f6ebd..d3ceb84aa 100644
>> --- a/config/rootfiles/core/121/update.sh
>> +++ b/config/rootfiles/core/121/update.sh
>> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
>>  done
>>  
>>  # Stop services
>> +/etc/init.d/sshd stop
>>  
>>  # Extract files
>>  extract_files
>> @@ -56,8 +57,19 @@ rm -rvf \
>>  	/usr/share/nagios/ \
>>  	/var/nagios/
>>  
>> +# Update SSH configuration
>> +sed -i /etc/ssh/sshd_config \
>> +	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>> +	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>> +	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
>> +	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
>> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
>> +	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
>> +	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
>> +
>>  # Start services
>>  /etc/init.d/apache restart
>> +/etc/init.d/sshd start
>>  
>>  # This update needs a reboot...
>>  touch /var/run/need_reboot
>> diff --git a/lfs/openssh b/lfs/openssh
>> index 203446370..90279ac98 100644
>> --- a/lfs/openssh
>> +++ b/lfs/openssh
>> @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts
>> yes/' \
>>  		-e 's/^#\?UsePAM .*$$//' \
>>  		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
>> -		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
>> -		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
>> +		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>> +		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
>> +		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
>> +		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
>> +		-e 's/^#StrictModes .*$/StrictModes yes/' \
>> +		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
>> +		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]