From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] harden authentication and logging in OpenSSH server configuration Date: Tue, 01 May 2018 14:27:38 +0200 Message-ID: <1fc21eb8-0b6d-ae7d-a371-cfd3f4aa15c7@link38.eu> In-Reply-To: <1525086462.2479471.128.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3893504554626360452==" List-Id: --===============3893504554626360452== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hi, >=20 > I need more explanation to understand and accept this patch. You are very o= ften > just stating what you are doing but not why. Okay, thanks for the hint. The intention here is to solve all items listed at https://bugzilla.ipfire.or= g/show_bug.cgi?id=3D11538 . Some of them are enabled by default already, as you mentioned below, but I do= not consider default values very stable and want to make sure the settings we/I w= ish are really applied. Since the item list in #11538 is quite mixed, I consider it a better idea to = send in a patch for each one so we can argue about each patch separately and the w= hole thing does not break down because of one singe patch not being applied. :-) By the way: There were some commits (updated NRPE, ca-certificates) you merged the other day. Is there a reason why they are not showing up at Git? Sorry for being impatient here. Best regards, Peter M=C3=BCller >=20 > On Sun, 2018-04-29 at 11:16 +0200, Peter M=C3=BCller wrote: >> Update some values in the OpenSSH server configuration at >> /etc/ssh/sshd_config to secure values. Changes are also applied >> on existing installations via update.sh script. >> >> This partly solves #11538 and performs these changes: >> - never accept empty passwords for authentication >=20 > That was default. No change needed really. >=20 >> - make sure OpenSSH always logs properly >=20 > What went wrong before? >=20 >> - make sure permissions of .ssh/authorized_keys are checked (StrictModes) >=20 > ACK. OK. >=20 >> - limit maximum concurring sessions to 5 >=20 > ??? >=20 >> - make sure custom rhosts files are always ignored >=20 > That was default as well >=20 >> - limit maximum authentication tries to 3 >=20 > This is also default. >=20 >> The logging options were not applied during build correctly, >> which is fixed now. Changes are not expected to break existing >> systems. >=20 > Expected? >=20 > There is no need to stop the ssh daemon when running the update. That will = cause > that users who are running the update via SSH are losing their connection. Thanks. Will include that in a second version of this patch. >=20 > A restart at the very end is sufficient. >=20 > -Michael >=20 >> >> Signed-off-by: Peter M=C3=BCller >> --- >> config/rootfiles/core/121/update.sh | 12 ++++++++++++ >> lfs/openssh | 9 +++++++-- >> 2 files changed, 19 insertions(+), 2 deletions(-) >> >> diff --git a/config/rootfiles/core/121/update.sh >> b/config/rootfiles/core/121/update.sh >> index 87d5f6ebd..d3ceb84aa 100644 >> --- a/config/rootfiles/core/121/update.sh >> +++ b/config/rootfiles/core/121/update.sh >> @@ -32,6 +32,7 @@ for (( i=3D1; i<=3D$core; i++ )); do >> done >> =20 >> # Stop services >> +/etc/init.d/sshd stop >> =20 >> # Extract files >> extract_files >> @@ -56,8 +57,19 @@ rm -rvf \ >> /usr/share/nagios/ \ >> /var/nagios/ >> =20 >> +# Update SSH configuration >> +sed -i /etc/ssh/sshd_config \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ >> + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ >> + -e 's/^#StrictModes .*$/StrictModes yes/' \ >> + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ >> + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' >> + >> # Start services >> /etc/init.d/apache restart >> +/etc/init.d/sshd start >> =20 >> # This update needs a reboot... >> touch /var/run/need_reboot >> diff --git a/lfs/openssh b/lfs/openssh >> index 203446370..90279ac98 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts >> yes/' \ >> -e 's/^#\?UsePAM .*$$//' \ >> -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ >> - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ >> - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ >> + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ >> + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ >> -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ >> -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ >> + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ >> + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ >> + -e 's/^#StrictModes .*$/StrictModes yes/' \ >> + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ >> + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ >> -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ --===============3893504554626360452== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSmE2RjA3QUFvSkVObEk4Zzk5ZTU5b25YWVAvMkN0aVdUbDRGSzJpVDJ1K2pUVkdINWUK aUJ6dFJ4RnVxQ1RiQkpHWE9EeHVBSTNObXJENVU2SGZpbTRIVzNnSEZ6clBtUTdTQ1ptYU1BeHV0 a0hJZ0pJMQo4ekZhWXM1SXJ0N2MwenBuTEhzTU8xbU43MWpqUllLV1lNaVY4ZmUrV3NFd0RnS0c5 Wlg1VldkdGRpUHNjaUFICkltT3hxV2l5dUxpYkFwMHlHaUxNbEpQa2hRSzlmdTR6MDBEOFd0WGs1 VU9pcGdEdERYY1FKQ0U1S1ZqRXJEbnYKNFkyYTU0ODFYcmk0ZTQwT3JIdlZMSWphTHlmLytncFc5 TEw1T21ZZ1FrWU9ZNG82LzFwYlBpc2t1VlpEc01YNQpPUnJhNUZDUkJwSXZjNkJtTUtzNk84eFJs THJ6Y3lvanpLNnp4aWRyNnNERUcwVXY5MS9hZUFtMml5dVVvYlpzCnFsaWFLc0hRVTdiZEZqcjVP bVZWanVzVGRxbkMxSDNqNGIxVXpEK0JJcWg0QzNGWVhUbDhZZ1lxcDEzellzWXgKcHc2U0l1cSta eUwvZGRzNUMxdU1BcVptaDhMU3FDQ1hrbCt5TE1ZQnhtbFllMVhQWUMyYWNDTUpwQUZURWo2Kwp4 bnVrNG1jOUFRYWRrQ1NPMWloVEJsd1FsbkxUSVcyandOWWU3YTlUQzdBUllvN3BmaUMwVDVvMEJ3 UWowQ3RSCnMxM0dvTkd3T2M3RW9INi90cFFvV01xbnRsZEsrbFlBYm1HWkxhd1IzNWJsTDgyYUVu OUxPTFRxcDhTcG8rcGYKWDZQdnQ2RDZGM2FPWXJ3Tkd4ZGM5bUNRVEtqNVVJUEJBSFZaR0NMNHo4 RFhtTkR1WncxQ2pXQ3FJMHpNUHFmQQpmMXhlZXVpRFU4RGRJNlRVcjJUaAo9QzVMRQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============3893504554626360452==--