From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] sshd_config: Do not set defaults explicitly Date: Mon, 03 Feb 2020 17:42:44 +0000 Message-ID: In-Reply-To: <649f26eb-cbe0-d476-204e-63ba888f10aa@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4755659722682666823==" List-Id: --===============4755659722682666823== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 3 Feb 2020, at 17:24, Peter M=C3=BCller wro= te: >=20 > Hello Michael, >=20 > thanks for your reply. >=20 > Since the Unbound configuration patch (https://patchwork.ipfire.org/patch/2= 710/) > is based on the same motivation than this one, I am a bit surprised by your= Reviewed-by > tag on it. :-) Yeah I could not remember if I wrote this email and waiting for a reply kind = of timed out :) > Breaking productive environment is a latter weak point to me, as keeping co= nfiguration > statements/directives removed in the upstream may or may not cause the same= effect. > Worse, there may be good reasons for changing upstream defaults which we sh= ould track > closely due to security considerations. On the other hands, relying on thir= d parties > is a bad idea when it comes to security - not to mention personal aversions= against > relying something or someone in general... >=20 > In the end, I figure it is less worse to have a shorter configuration which= takes less > disk space and is easier to review and audit. You are right, the downside o= f this is > to rely on other people's opinion of security and interoperability. Disk space? We are saying bytes. As long as we are shipping half a gigabyte o= f firmware for outdated SCSI controllers, this won=E2=80=99t really help you = much. -Michael P.S. I suppose we should just go ahead with this then: Reviewed-by: Michael Tremer >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> Hello, >>=20 >> I am not 100% sure if I like this change. >>=20 >> Simply because of defaults changing in software. Although we generally wan= t to follow upstream this might break installations. >>=20 >> Do we not see this as a danger? >>=20 >> I would prefer to have shorter configurations, but not breaking production= is more important. >>=20 >> -Michael >>=20 >>> On 20 Jan 2020, at 20:04, Peter M=C3=BCller = wrote: >>>=20 >>> In order to keep configurations as small as possible and to make them >>> easier to read/audit, this patch omits all default configuration in the >>> OpenSSH server configuration file. >>>=20 >>> Further, it mentions where to refer for the full documentation. >>>=20 >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/ssh/sshd_config | 62 ++++++++++++++++-----------------------------= ----- >>> 1 file changed, 20 insertions(+), 42 deletions(-) >>>=20 >>> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >>> index a248c4906..bea5cee53 100644 >>> --- a/config/ssh/sshd_config >>> +++ b/config/ssh/sshd_config >>> @@ -1,81 +1,59 @@ >>> -# ultra-secure OpenSSH server configuration >>> +# OpenSSH server configuration file for IPFire >>> +# >>> +# The full documentation is available at: https://man.openbsd.org/sshd_c= onfig >>> +# >>>=20 >>> -# only allow version 2 of SSH protocol >>> +# Only allow version 2 of SSH protocol >>> Protocol 2 >>>=20 >>> -# listen on port 22 by default >>> +# Listen on port 22 by default >>> Port 22 >>>=20 >>> -# listen on these interfaces and protocols >>> -AddressFamily any >>> +# Listen on every interface and IPv4 only >>> +AddressFamily inet >>> ListenAddress 0.0.0.0 >>>=20 >>> -# limit authentication thresholds >>> +# Limit authentication timeout to 30 seconds >>> LoginGraceTime 30s >>> -MaxAuthTries 6 >>>=20 >>> -# limit maximum instanctes to prevent DoS >>> +# Limit maximum instanctes to prevent DoS >>> MaxStartups 5 >>>=20 >>> -# ensure proper logging >>> -SyslogFacility AUTH >>> -LogLevel INFO >>> - >>> -# enforce permission checks before a login is accepted >>> -# (prevents damage because of hacked systems with world-writeable >>> -# home directories or similar) >>> -StrictModes yes >>> - >>> -# only allow safe crypto algorithms (may break some _very_ outdated clie= nts) >>> -# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.ht= ml >>> +# Only allow safe crypto algorithms (may break some _very_ outdated clie= nts) >>> +# See also: https://stribika.github.io/2015/01/04/secure-secure-shell.ht= ml >>> KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchang= e-sha256 >>> Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-g= cm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >>> MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac= -128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com >>>=20 >>> -# enable data compression after successful login only >>> -Compression delayed >>> - >>> -# only allow cryptographically safe SSH host keys (adjust paths if neede= d) >>> +# Only allow cryptographically safe SSH host keys (adjust paths if neede= d) >>> HostKey /etc/ssh/ssh_host_ed25519_key >>> HostKey /etc/ssh/ssh_host_ecdsa_key >>> HostKey /etc/ssh/ssh_host_rsa_key >>>=20 >>> -# only allow login via public key by default >>> +# Only allow login via public key by default >>> PubkeyAuthentication yes >>> PasswordAuthentication no >>> ChallengeResponseAuthentication no >>> -PermitEmptyPasswords no >>>=20 >>> -# permit root login as there is no other user in IPFire 2.x >>> +# Permit root login as there is no other user in IPFire 2.x >>> PermitRootLogin yes >>>=20 >>> -# ignore user ~/.rhost* files >>> -IgnoreRhosts yes >>> - >>> -# ignore user known hosts file >>> +# Ignore user ~/.ssh/known_hosts file >>> IgnoreUserKnownHosts yes >>>=20 >>> -# ignore user environments >>> -PermitUserEnvironment no >>> - >>> -# do not allow any kind of forwarding (provides only low security) >>> +# Do not allow any kind of forwarding (provides only low security); >>> # some of them might need to be re-enabled if SSH server is a jump platfo= rm >>> -X11Forwarding no >>> AllowTcpForwarding no >>> AllowAgentForwarding no >>> -PermitTunnel no >>> -GatewayPorts no >>> PermitOpen none >>>=20 >>> -# detect broken sessions by sending keep-alive messages to >>> -# clients (both via TCP and SSH) >>> -TCPKeepAlive yes >>> +# Detect broken sessions by sending keep-alive messages to clients via S= SH connection >>> ClientAliveInterval 10 >>>=20 >>> -# close unresponsive SSH sessions which fail to answer keep-alive >>> +# Close unresponsive SSH sessions which fail to answer keep-alive >>> ClientAliveCountMax 6 >>>=20 >>> -# add support for SFTP >>> +# Add support for SFTP >>> Subsystem sftp /usr/lib/openssh/sftp-server >>>=20 >>> # EOF >>> --=20 >>> 2.16.4 >>=20 --===============4755659722682666823==--