From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] sshd_config: Do not set defaults explicitly Date: Mon, 03 Feb 2020 17:24:00 +0000 Message-ID: <649f26eb-cbe0-d476-204e-63ba888f10aa@ipfire.org> In-Reply-To: <5B6C1246-8810-4DE7-B67F-2CEAE0BA2597@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8808873980710225590==" List-Id: --===============8808873980710225590== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. Since the Unbound configuration patch (https://patchwork.ipfire.org/patch/271= 0/) is based on the same motivation than this one, I am a bit surprised by your R= eviewed-by tag on it. :-) Breaking productive environment is a latter weak point to me, as keeping conf= iguration statements/directives removed in the upstream may or may not cause the same e= ffect. Worse, there may be good reasons for changing upstream defaults which we shou= ld track closely due to security considerations. On the other hands, relying on third = parties is a bad idea when it comes to security - not to mention personal aversions a= gainst relying something or someone in general... In the end, I figure it is less worse to have a shorter configuration which t= akes less disk space and is easier to review and audit. You are right, the downside of = this is to rely on other people's opinion of security and interoperability. Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 > I am not 100% sure if I like this change. >=20 > Simply because of defaults changing in software. Although we generally want= to follow upstream this might break installations. >=20 > Do we not see this as a danger? >=20 > I would prefer to have shorter configurations, but not breaking production = is more important. >=20 > -Michael >=20 >> On 20 Jan 2020, at 20:04, Peter M=C3=BCller w= rote: >> >> In order to keep configurations as small as possible and to make them >> easier to read/audit, this patch omits all default configuration in the >> OpenSSH server configuration file. >> >> Further, it mentions where to refer for the full documentation. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> config/ssh/sshd_config | 62 ++++++++++++++++------------------------------= ---- >> 1 file changed, 20 insertions(+), 42 deletions(-) >> >> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >> index a248c4906..bea5cee53 100644 >> --- a/config/ssh/sshd_config >> +++ b/config/ssh/sshd_config >> @@ -1,81 +1,59 @@ >> -# ultra-secure OpenSSH server configuration >> +# OpenSSH server configuration file for IPFire >> +# >> +# The full documentation is available at: https://man.openbsd.org/sshd_co= nfig >> +# >> >> -# only allow version 2 of SSH protocol >> +# Only allow version 2 of SSH protocol >> Protocol 2 >> >> -# listen on port 22 by default >> +# Listen on port 22 by default >> Port 22 >> >> -# listen on these interfaces and protocols >> -AddressFamily any >> +# Listen on every interface and IPv4 only >> +AddressFamily inet >> ListenAddress 0.0.0.0 >> >> -# limit authentication thresholds >> +# Limit authentication timeout to 30 seconds >> LoginGraceTime 30s >> -MaxAuthTries 6 >> >> -# limit maximum instanctes to prevent DoS >> +# Limit maximum instanctes to prevent DoS >> MaxStartups 5 >> >> -# ensure proper logging >> -SyslogFacility AUTH >> -LogLevel INFO >> - >> -# enforce permission checks before a login is accepted >> -# (prevents damage because of hacked systems with world-writeable >> -# home directories or similar) >> -StrictModes yes >> - >> -# only allow safe crypto algorithms (may break some _very_ outdated clien= ts) >> -# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html >> +# Only allow safe crypto algorithms (may break some _very_ outdated clien= ts) >> +# See also: https://stribika.github.io/2015/01/04/secure-secure-shell.html >> KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange= -sha256 >> Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gc= m(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >> MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-= 128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com >> >> -# enable data compression after successful login only >> -Compression delayed >> - >> -# only allow cryptographically safe SSH host keys (adjust paths if needed) >> +# Only allow cryptographically safe SSH host keys (adjust paths if needed) >> HostKey /etc/ssh/ssh_host_ed25519_key >> HostKey /etc/ssh/ssh_host_ecdsa_key >> HostKey /etc/ssh/ssh_host_rsa_key >> >> -# only allow login via public key by default >> +# Only allow login via public key by default >> PubkeyAuthentication yes >> PasswordAuthentication no >> ChallengeResponseAuthentication no >> -PermitEmptyPasswords no >> >> -# permit root login as there is no other user in IPFire 2.x >> +# Permit root login as there is no other user in IPFire 2.x >> PermitRootLogin yes >> >> -# ignore user ~/.rhost* files >> -IgnoreRhosts yes >> - >> -# ignore user known hosts file >> +# Ignore user ~/.ssh/known_hosts file >> IgnoreUserKnownHosts yes >> >> -# ignore user environments >> -PermitUserEnvironment no >> - >> -# do not allow any kind of forwarding (provides only low security) >> +# Do not allow any kind of forwarding (provides only low security); >> # some of them might need to be re-enabled if SSH server is a jump platform >> -X11Forwarding no >> AllowTcpForwarding no >> AllowAgentForwarding no >> -PermitTunnel no >> -GatewayPorts no >> PermitOpen none >> >> -# detect broken sessions by sending keep-alive messages to >> -# clients (both via TCP and SSH) >> -TCPKeepAlive yes >> +# Detect broken sessions by sending keep-alive messages to clients via SS= H connection >> ClientAliveInterval 10 >> >> -# close unresponsive SSH sessions which fail to answer keep-alive >> +# Close unresponsive SSH sessions which fail to answer keep-alive >> ClientAliveCountMax 6 >> >> -# add support for SFTP >> +# Add support for SFTP >> Subsystem sftp /usr/lib/openssh/sftp-server >> >> # EOF >> --=20 >> 2.16.4 >=20 --===============8808873980710225590==--