Hello Michael, > Hi, > > I need more explanation to understand and accept this patch. You are very often > just stating what you are doing but not why. Okay, thanks for the hint. The intention here is to solve all items listed at https://bugzilla.ipfire.org/show_bug.cgi?id=11538 . Some of them are enabled by default already, as you mentioned below, but I do not consider default values very stable and want to make sure the settings we/I wish are really applied. Since the item list in #11538 is quite mixed, I consider it a better idea to send in a patch for each one so we can argue about each patch separately and the whole thing does not break down because of one singe patch not being applied. :-) By the way: There were some commits (updated NRPE, ca-certificates) you merged the other day. Is there a reason why they are not showing up at Git? Sorry for being impatient here. Best regards, Peter Müller > > On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote: >> Update some values in the OpenSSH server configuration at >> /etc/ssh/sshd_config to secure values. Changes are also applied >> on existing installations via update.sh script. >> >> This partly solves #11538 and performs these changes: >> - never accept empty passwords for authentication > > That was default. No change needed really. > >> - make sure OpenSSH always logs properly > > What went wrong before? > >> - make sure permissions of .ssh/authorized_keys are checked (StrictModes) > > ACK. OK. > >> - limit maximum concurring sessions to 5 > > ??? > >> - make sure custom rhosts files are always ignored > > That was default as well > >> - limit maximum authentication tries to 3 > > This is also default. > >> The logging options were not applied during build correctly, >> which is fixed now. Changes are not expected to break existing >> systems. > > Expected? > > There is no need to stop the ssh daemon when running the update. That will cause > that users who are running the update via SSH are losing their connection. Thanks. Will include that in a second version of this patch. > > A restart at the very end is sufficient. > > -Michael > >> >> Signed-off-by: Peter Müller >> --- >> config/rootfiles/core/121/update.sh | 12 ++++++++++++ >> lfs/openssh | 9 +++++++-- >> 2 files changed, 19 insertions(+), 2 deletions(-) >> >> diff --git a/config/rootfiles/core/121/update.sh >> b/config/rootfiles/core/121/update.sh >> index 87d5f6ebd..d3ceb84aa 100644 >> --- a/config/rootfiles/core/121/update.sh >> +++ b/config/rootfiles/core/121/update.sh >> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do >> done >> >> # Stop services >> +/etc/init.d/sshd stop >> >> # Extract files >> extract_files >> @@ -56,8 +57,19 @@ rm -rvf \ >> /usr/share/nagios/ \ >> /var/nagios/ >> >> +# Update SSH configuration >> +sed -i /etc/ssh/sshd_config \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ >> + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ >> + -e 's/^#StrictModes .*$/StrictModes yes/' \ >> + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ >> + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' >> + >> # Start services >> /etc/init.d/apache restart >> +/etc/init.d/sshd start >> >> # This update needs a reboot... >> touch /var/run/need_reboot >> diff --git a/lfs/openssh b/lfs/openssh >> index 203446370..90279ac98 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts >> yes/' \ >> -e 's/^#\?UsePAM .*$$//' \ >> -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ >> - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ >> - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ >> -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ >> + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ >> + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ >> + -e 's/^#StrictModes .*$/StrictModes yes/' \ >> + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ >> + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \