From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] harden authentication and logging in OpenSSH server configuration Date: Wed, 30 May 2018 12:26:01 +0100 Message-ID: <8bf29aca529dba2e154c1240099dbc95c865cb48.camel@ipfire.org> In-Reply-To: <1fc21eb8-0b6d-ae7d-a371-cfd3f4aa15c7@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5436731436883960633==" List-Id: --===============5436731436883960633== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2018-05-01 at 14:27 +0200, Peter M=C3=BCller wrote: > Hello Michael, > > Hi, > >=20 > > I need more explanation to understand and accept this patch. You are very > > often > > just stating what you are doing but not why. >=20 > Okay, thanks for the hint. >=20 > The intention here is to solve all items listed at https://bugzilla.ipfire.= org > /show_bug.cgi?id=3D11538 . > Some of them are enabled by default already, as you mentioned below, but I = do > not > consider default values very stable and want to make sure the settings we/I > wish > are really applied. >=20 > Since the item list in #11538 is quite mixed, I consider it a better idea to > send > in a patch for each one so we can argue about each patch separately and the > whole > thing does not break down because of one singe patch not being applied. :-) That's *always* the way to go. >=20 > By the way: There were some commits (updated NRPE, ca-certificates) you mer= ged > the other day. Is there a reason why they are not showing up at Git? Sorry = for > being impatient here. >=20 > Best regards, > Peter M=C3=BCller >=20 > >=20 > > On Sun, 2018-04-29 at 11:16 +0200, Peter M=C3=BCller wrote: > > > Update some values in the OpenSSH server configuration at > > > /etc/ssh/sshd_config to secure values. Changes are also applied > > > on existing installations via update.sh script. > > >=20 > > > This partly solves #11538 and performs these changes: > > > - never accept empty passwords for authentication > >=20 > > That was default. No change needed really. > >=20 > > > - make sure OpenSSH always logs properly > >=20 > > What went wrong before? > >=20 > > > - make sure permissions of .ssh/authorized_keys are checked (StrictMode= s) > >=20 > > ACK. >=20 > OK. > >=20 > > > - limit maximum concurring sessions to 5 > >=20 > > ??? > >=20 > > > - make sure custom rhosts files are always ignored > >=20 > > That was default as well > >=20 > > > - limit maximum authentication tries to 3 > >=20 > > This is also default. > >=20 > > > The logging options were not applied during build correctly, > > > which is fixed now. Changes are not expected to break existing > > > systems. > >=20 > > Expected? > >=20 > > There is no need to stop the ssh daemon when running the update. That will > > cause > > that users who are running the update via SSH are losing their connection. >=20 > Thanks. Will include that in a second version of this patch. > >=20 > > A restart at the very end is sufficient. > >=20 > > -Michael > >=20 > > >=20 > > > Signed-off-by: Peter M=C3=BCller > > > --- > > > config/rootfiles/core/121/update.sh | 12 ++++++++++++ > > > lfs/openssh | 9 +++++++-- > > > 2 files changed, 19 insertions(+), 2 deletions(-) > > >=20 > > > diff --git a/config/rootfiles/core/121/update.sh > > > b/config/rootfiles/core/121/update.sh > > > index 87d5f6ebd..d3ceb84aa 100644 > > > --- a/config/rootfiles/core/121/update.sh > > > +++ b/config/rootfiles/core/121/update.sh > > > @@ -32,6 +32,7 @@ for (( i=3D1; i<=3D$core; i++ )); do > > > done > > > =20 > > > # Stop services > > > +/etc/init.d/sshd stop > > > =20 > > > # Extract files > > > extract_files > > > @@ -56,8 +57,19 @@ rm -rvf \ > > > /usr/share/nagios/ \ > > > /var/nagios/ > > > =20 > > > +# Update SSH configuration > > > +sed -i /etc/ssh/sshd_config \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > > > + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ > > > + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ > > > + -e 's/^#StrictModes .*$/StrictModes yes/' \ > > > + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ > > > + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' > > > + > > > # Start services > > > /etc/init.d/apache restart > > > +/etc/init.d/sshd start > > > =20 > > > # This update needs a reboot... > > > touch /var/run/need_reboot > > > diff --git a/lfs/openssh b/lfs/openssh > > > index 203446370..90279ac98 100644 > > > --- a/lfs/openssh > > > +++ b/lfs/openssh > > > @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts > > > yes/' \ > > > -e 's/^#\?UsePAM .*$$//' \ > > > -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ > > > - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' > > > \ > > > - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ > > > + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ > > > + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ > > > -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' > > > \ > > > -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ > > > + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords > > > no/' \ > > > + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ > > > + -e 's/^#StrictModes .*$/StrictModes yes/' \ > > > + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ > > > + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ > > > -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \ >=20 >=20 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsOikkACgkQgHnw/2+Q CQec6w//QQlUJE+AHWTc4o4VHqcVExOkvfwAQ9YEM21TO3tttV5WE2GA8xAY6RLA ynLe0vusqTYoaOL0iXTUKSW/FSSmk0KYba+r4jG8+qhCFz26bR6ERUcs29Ix+G2A OYpf3fUakaB6paqLVmoRXaEV6FraTDipzVwuzhiViErqmrKjcXDo4C0H0xFgaSXg Oxr2EPR03zZ1TUkqAKuvYfXbDjB1f3+ZyE6cRKTCAhl/uf71A/JiSwcptaIps5/6 SxpMK5opx5tfm3OOjTMp1SW2DdEunmoLGa7y2TlnHiRHWnTYpFl+aMOPNCblexLD 5UZqEn6OsYBdTZR2mgb8eeanwC7D2HZAx0/kC7z+non3ZYS043annTQygeBMVdeg /AzkWKJ+TYBSt8ntgm+G6jILt5iWy9LsNmvgEkccV5xc/GCxn3cfU/c7mA5pjSXF sr15LrBnET0DDotkOhXOUTm52RIN0dqlsQD+hX4uAoUtW2hTe48rYxprpTVnwJxn 4aafnwXTmJQvNssKvYIzgU9zfX1bbUxL+18o0mTCmy06CFOxbwpVoQXvGlhaRqcZ WiTlYy7zWU+RIXtLGHNdPngYUUA6JQ3/4bZ28pqqlOBUHiMTGi8ruzBBlEFiGZBw zEFvhyJYxoVcKidoXwo29atpJ/1fZDVb0xMNCoqJ3HHOByvraJI=3D =3D6d5H -----END PGP SIGNATURE----- --===============5436731436883960633==--