From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 2/3] enable "StrictModes" for OpenSSH Date: Tue, 01 May 2018 14:43:52 +0200 Message-ID: <49166866-c3a2-06a4-dae9-21784c9c88ae@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3748713700018993885==" List-Id: --===============3748713700018993885== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Always make sure permissions of .ssh/authorized_keys are checked. This prevents word-writeable keyfiles from being processed, reducing attack surface after misconfiguration. Partially addresses #11538 and depends on patch 1/3. Signed-off-by: Peter M=C3=BCller --- config/rootfiles/core/121/update.sh | 3 ++- lfs/openssh | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/= update.sh index 5b8f2c86e..3ec251292 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -59,7 +59,8 @@ rm -rvf \ # Update SSH configuration sed -i /etc/ssh/sshd_config \ -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ - -e 's/^#LogLevel INFO$/LogLevel INFO/' + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' =20 # Start services /etc/init.d/sshd restart diff --git a/lfs/openssh b/lfs/openssh index 46561953d..7e8468ac9 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ --=20 2.13.6 --===============3748713700018993885== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC Q2dBR0JRSmE2R0VJQUFvSkVObEk4Zzk5ZTU5bzd4QVFBS2lFZlo4U1dpcEpGU1RPbnUzR1V6QmwK MnNqT3pMKytjeFBVZUFacFI1c3VHK0hmZm14Q3VWQUU4SkZhay9sTGgrT1hyRGg0elFSb2dUZFBF QVdYOXdocApSWWMxYjBnVGM1RnpIa3IrSnBQZlBMWTlZeWc4bHlZNFRwNm5KRVY1Um1RYkdERHcr WmVtdUFwN1A1TmxZTVEzCkEyV2w4Tk85RXhRL25vVWZtdE52d3ZTQjdsdTlpSVRBMkcrL2hTWDhx aFduam9lcVpVMi83eVdVa1EvbWdaa20KbmpCbkJiWExxejlKZTU5SER0U3FHa0kxR1ZGcjRoUnZW WmgvNnJJZXFmUHpKblpZdytJREkrUVVpTFhYZnh3Nwp5YkFiQXhXS3hXbkV4L21odG1kMW5LT09C TVQxS29pbmJMS0JNWWRrK01MVXd3VG5YWFVobng0Y2t5Mk0rL2hOCjEvR0dkNVR3UkdORVVWYTYx UUU4Vm5UUnlOaFpCRFUxSjhvaGx5OGdReDQvd2EzVmFnRlRKK0F6M2tySW5xdDIKcStLVDZvZGR5 NDM0eHlKOExISEJVSUlCTkdtVHNwenlvNkxFbnRYTXNTMW9Kc094OG41R3VjcTI5cTlHeU82cwpa TG1QNHRGTWMzN1lZVmtNOE5UVmpOcjRZWTJoaDU0L2N1blZ6QTJCT1lNYkh4bWF4R0tCUlE3c3FK WVl6MC9ZCitOa3FieFVHc1hIRm45cmlkcStOS3BZc2RGRUVuT2pjeEhFQzVmN09EanNPSTNQcVNN QkZNelo0dGtYY0NEUysKUWd3OHRXRzZwSHpSMVBZamM3b0N1VDdqRU9XMXpmMEpHNW9uOFBQeU83 bmFDQzRNMDNMb1N6K2VoOFFPc1d2MgovbEZob0JSVmp6ZEorUEFhWkY5Two9ME9qVgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============3748713700018993885==--