-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2018-05-01 at 14:27 +0200, Peter Müller wrote: > Hello Michael, > > Hi, > > > > I need more explanation to understand and accept this patch. You are very > > often > > just stating what you are doing but not why. > > Okay, thanks for the hint. > > The intention here is to solve all items listed at https://bugzilla.ipfire.org > /show_bug.cgi?id=11538 . > Some of them are enabled by default already, as you mentioned below, but I do > not > consider default values very stable and want to make sure the settings we/I > wish > are really applied. > > Since the item list in #11538 is quite mixed, I consider it a better idea to > send > in a patch for each one so we can argue about each patch separately and the > whole > thing does not break down because of one singe patch not being applied. :-) That's *always* the way to go. > > By the way: There were some commits (updated NRPE, ca-certificates) you merged > the other day. Is there a reason why they are not showing up at Git? Sorry for > being impatient here. > > Best regards, > Peter Müller > > > > > On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote: > > > Update some values in the OpenSSH server configuration at > > > /etc/ssh/sshd_config to secure values. Changes are also applied > > > on existing installations via update.sh script. > > > > > > This partly solves #11538 and performs these changes: > > > - never accept empty passwords for authentication > > > > That was default. No change needed really. > > > > > - make sure OpenSSH always logs properly > > > > What went wrong before? > > > > > - make sure permissions of .ssh/authorized_keys are checked (StrictModes) > > > > ACK. > > OK. > > > > > - limit maximum concurring sessions to 5 > > > > ??? > > > > > - make sure custom rhosts files are always ignored > > > > That was default as well > > > > > - limit maximum authentication tries to 3 > > > > This is also default. > > > > > The logging options were not applied during build correctly, > > > which is fixed now. Changes are not expected to break existing > > > systems. > > > > Expected? > > > > There is no need to stop the ssh daemon when running the update. That will > > cause > > that users who are running the update via SSH are losing their connection. > > Thanks. Will include that in a second version of this patch. > > > > A restart at the very end is sufficient. > > > > -Michael > > > > > > > > Signed-off-by: Peter Müller > > > --- > > > config/rootfiles/core/121/update.sh | 12 ++++++++++++ > > > lfs/openssh | 9 +++++++-- > > > 2 files changed, 19 insertions(+), 2 deletions(-) > > > > > > diff --git a/config/rootfiles/core/121/update.sh > > > b/config/rootfiles/core/121/update.sh > > > index 87d5f6ebd..d3ceb84aa 100644 > > > --- a/config/rootfiles/core/121/update.sh > > > +++ b/config/rootfiles/core/121/update.sh > > > @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do > > > done > > > > > > # Stop services > > > +/etc/init.d/sshd stop > > > > > > # Extract files > > > extract_files > > > @@ -56,8 +57,19 @@ rm -rvf \ > > > /usr/share/nagios/ \ > > > /var/nagios/ > > > > > > +# Update SSH configuration > > > +sed -i /etc/ssh/sshd_config \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > > > + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ > > > + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ > > > + -e 's/^#StrictModes .*$/StrictModes yes/' \ > > > + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ > > > + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' > > > + > > > # Start services > > > /etc/init.d/apache restart > > > +/etc/init.d/sshd start > > > > > > # This update needs a reboot... > > > touch /var/run/need_reboot > > > diff --git a/lfs/openssh b/lfs/openssh > > > index 203446370..90279ac98 100644 > > > --- a/lfs/openssh > > > +++ b/lfs/openssh > > > @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts > > > yes/' \ > > > -e 's/^#\?UsePAM .*$$//' \ > > > -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ > > > - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' > > > \ > > > - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > > > -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' > > > \ > > > -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ > > > + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords > > > no/' \ > > > + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ > > > + -e 's/^#StrictModes .*$/StrictModes yes/' \ > > > + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ > > > + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsOikkACgkQgHnw/2+Q CQec6w//QQlUJE+AHWTc4o4VHqcVExOkvfwAQ9YEM21TO3tttV5WE2GA8xAY6RLA ynLe0vusqTYoaOL0iXTUKSW/FSSmk0KYba+r4jG8+qhCFz26bR6ERUcs29Ix+G2A OYpf3fUakaB6paqLVmoRXaEV6FraTDipzVwuzhiViErqmrKjcXDo4C0H0xFgaSXg Oxr2EPR03zZ1TUkqAKuvYfXbDjB1f3+ZyE6cRKTCAhl/uf71A/JiSwcptaIps5/6 SxpMK5opx5tfm3OOjTMp1SW2DdEunmoLGa7y2TlnHiRHWnTYpFl+aMOPNCblexLD 5UZqEn6OsYBdTZR2mgb8eeanwC7D2HZAx0/kC7z+non3ZYS043annTQygeBMVdeg /AzkWKJ+TYBSt8ntgm+G6jILt5iWy9LsNmvgEkccV5xc/GCxn3cfU/c7mA5pjSXF sr15LrBnET0DDotkOhXOUTm52RIN0dqlsQD+hX4uAoUtW2hTe48rYxprpTVnwJxn 4aafnwXTmJQvNssKvYIzgU9zfX1bbUxL+18o0mTCmy06CFOxbwpVoQXvGlhaRqcZ WiTlYy7zWU+RIXtLGHNdPngYUUA6JQ3/4bZ28pqqlOBUHiMTGi8ruzBBlEFiGZBw zEFvhyJYxoVcKidoXwo29atpJ/1fZDVb0xMNCoqJ3HHOByvraJI= =6d5H -----END PGP SIGNATURE-----