[PATCH v4 1/2] add hardened SSH server configuration

[PATCH v4 1/2] add hardened SSH server configuration

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3655 bytes --]

In order to harden OpenSSH server in IPFire, using the upstream default configuration
and edit it via sed commands in LFS file is error-prone and does not scale.

Thereof we ship a custom and more secure OpenSSH server configuration which
is copied into the image during build time.

The fourth version of this patch disables password authentication by
default, since this is required by some cloud hosters in order to apply
the image. Further, this method is less secure than pubkey
authentication.

Non-AEAD ciphers have been re-added to provide compatibility to older
RHEL systems.

Fixes #11750
Fixes #11751
Partially fixes #11538

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Cc: Marcel Lorenz <marcel.lorenz(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/ssh/sshd_config | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 config/ssh/sshd_config

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
new file mode 100644
index 000000000..06329fbde
--- /dev/null
+++ b/config/ssh/sshd_config
@@ -0,0 +1,81 @@
+# ultra-secure OpenSSH server configuration
+
+# only allow version 2 of SSH protocol
+Protocol 2
+
+# listen on port 22 by default
+Port 22
+
+# listen on these interfaces and protocols
+AddressFamily any
+ListenAddress 0.0.0.0
+
+# limit authentication thresholds
+LoginGraceTime 30s
+MaxAuthTries 3
+
+# limit maximum instanctes to prevent DoS
+MaxStartups 5
+
+# ensure proper logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# enforce permission checks before a login is accepted
+# (prevents damage because of hacked systems with world-writeable
+# home directories or similar)
+StrictModes yes
+
+# only allow safe crypto algorithms (may break some _very_ outdated clients)
+# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
+
+# enable data compression after successful login only
+Compression delayed
+
+# only allow cryptographically safe SSH host keys (adjust paths if needed)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# only allow login via public key by default
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+# permit root login as there is no other user in IPFire 2.x
+PermitRootLogin yes
+
+# specify preferred authentication methods (public keys come first)
+AuthenticationMethods publickey,password
+
+# ignore user ~/.rhost* files
+IgnoreRhosts yes
+
+# ignore user known hosts file
+IgnoreUserKnownHosts yes
+
+# ignore user environments
+PermitUserEnvironment no
+
+# do not allow any kind of forwarding (provides only low security)
+# some of them might need to be re-enabled if SSH server is a jump platform
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+GatewayPorts no
+PermitOpen none
+
+# detect broken sessions by sending keep-alive messages to
+# clients (both via TCP and SSH)
+TCPKeepAlive yes
+ClientAliveInterval 10
+
+# close unresponsive SSH sessions which fail to answer keep-alive
+ClientAliveCountMax 6
+
+# EOF
-- 
2.16.4

[PATCH v4 2/2] use custom SSH server configuration in LFS file

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1723 bytes --]

Include OpenSSH server configuration file during build.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 lfs/openssh | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/lfs/openssh b/lfs/openssh
index a88b2d126..d60ec7ce5 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -82,23 +82,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
-	sed -i -e 's/^#\?Port .*$$/Port 22/' \
-		-e 's/^#\?Protocol .*$$/Protocol 2/' \
-		-e 's/^#\?LoginGraceTime .*$$/LoginGraceTime 30s/' \
-		-e 's/^#\?PubkeyAuthentication .*$$/PubkeyAuthentication yes/' \
-		-e 's/^#\?PasswordAuthentication .*$$/PasswordAuthentication no/' \
-		-e 's/^#\?MaxStartups .*$$/MaxStartups 5/' \
-		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \
-		-e 's/^#\?UsePAM .*$$//' \
-		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
-		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
-		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
-		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
-		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
-		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
-		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
-		-e 's|^#\?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \
+
+	# install custom OpenSSH server configuration
+	install -v -m 644 $(DIR_SRC)/config/ssh/sshd_config \
 		/etc/ssh/sshd_config
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.16.4

Re: [PATCH v4 1/2] add hardened SSH server configuration

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 4255 bytes --]

Hello,

I take by the silence that there are still some unsolved questions about
this. If this assumption is true, please ask them. :-)

Thank you, and best regards,
Peter Müller

> In order to harden OpenSSH server in IPFire, using the upstream default configuration
> and edit it via sed commands in LFS file is error-prone and does not scale.
> 
> Thereof we ship a custom and more secure OpenSSH server configuration which
> is copied into the image during build time.
> 
> The fourth version of this patch disables password authentication by
> default, since this is required by some cloud hosters in order to apply
> the image. Further, this method is less secure than pubkey
> authentication.
> 
> Non-AEAD ciphers have been re-added to provide compatibility to older
> RHEL systems.
> 
> Fixes #11750
> Fixes #11751
> Partially fixes #11538
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> Cc: Marcel Lorenz <marcel.lorenz(a)ipfire.org>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/ssh/sshd_config | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 81 insertions(+)
>  create mode 100644 config/ssh/sshd_config
> 
> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
> new file mode 100644
> index 000000000..06329fbde
> --- /dev/null
> +++ b/config/ssh/sshd_config
> @@ -0,0 +1,81 @@
> +# ultra-secure OpenSSH server configuration
> +
> +# only allow version 2 of SSH protocol
> +Protocol 2
> +
> +# listen on port 22 by default
> +Port 22
> +
> +# listen on these interfaces and protocols
> +AddressFamily any
> +ListenAddress 0.0.0.0
> +
> +# limit authentication thresholds
> +LoginGraceTime 30s
> +MaxAuthTries 3
> +
> +# limit maximum instanctes to prevent DoS
> +MaxStartups 5
> +
> +# ensure proper logging
> +SyslogFacility AUTH
> +LogLevel INFO
> +
> +# enforce permission checks before a login is accepted
> +# (prevents damage because of hacked systems with world-writeable
> +# home directories or similar)
> +StrictModes yes
> +
> +# only allow safe crypto algorithms (may break some _very_ outdated clients)
> +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
> +KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
> +Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> +MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
> +
> +# enable data compression after successful login only
> +Compression delayed
> +
> +# only allow cryptographically safe SSH host keys (adjust paths if needed)
> +HostKey /etc/ssh/ssh_host_ed25519_key
> +HostKey /etc/ssh/ssh_host_ecdsa_key
> +HostKey /etc/ssh/ssh_host_rsa_key
> +
> +# only allow login via public key by default
> +PubkeyAuthentication yes
> +PasswordAuthentication no
> +ChallengeResponseAuthentication no
> +PermitEmptyPasswords no
> +
> +# permit root login as there is no other user in IPFire 2.x
> +PermitRootLogin yes
> +
> +# specify preferred authentication methods (public keys come first)
> +AuthenticationMethods publickey,password
> +
> +# ignore user ~/.rhost* files
> +IgnoreRhosts yes
> +
> +# ignore user known hosts file
> +IgnoreUserKnownHosts yes
> +
> +# ignore user environments
> +PermitUserEnvironment no
> +
> +# do not allow any kind of forwarding (provides only low security)
> +# some of them might need to be re-enabled if SSH server is a jump platform
> +X11Forwarding no
> +AllowTcpForwarding no
> +AllowAgentForwarding no
> +PermitTunnel no
> +GatewayPorts no
> +PermitOpen none
> +
> +# detect broken sessions by sending keep-alive messages to
> +# clients (both via TCP and SSH)
> +TCPKeepAlive yes
> +ClientAliveInterval 10
> +
> +# close unresponsive SSH sessions which fail to answer keep-alive
> +ClientAliveCountMax 6
> +
> +# EOF
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq