From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] harden authentication and logging in OpenSSH server configuration Date: Sun, 29 Apr 2018 11:16:42 +0200 Message-ID: <45328527-782f-5737-5207-ca6936b5ece7@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6614158602024352269==" List-Id: --===============6614158602024352269== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script. This partly solves #11538 and performs these changes: - never accept empty passwords for authentication - make sure OpenSSH always logs properly - make sure permissions of .ssh/authorized_keys are checked (StrictModes) - limit maximum concurring sessions to 5 - make sure custom rhosts files are always ignored - limit maximum authentication tries to 3 The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems. Signed-off-by: Peter M=C3=BCller --- config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/= update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=3D1; i<=3D$core; i++ )); do done =20 # Stop services +/etc/init.d/sshd stop =20 # Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/ =20 +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' + # Start services /etc/init.d/apache restart +/etc/init.d/sshd start =20 # This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#\?UsePAM .*$$//' \ -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ --=20 2.13.6 --===============6614158602024352269==--