Re: [PATCH 3/3] OpenSSH: use safer cryptography defaults

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 6054 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

you will need to break up patches into smaller chunks. This is a bit harder to
review than it should be.

On Tue, 2018-05-01 at 14:53 +0200, Peter Müller wrote:
> By default, OpenSSH uses crypto algorithms such as SHA1, which are
> considered insecure and should not be used anymore. This patch
> updates the used ciphers, message-digest algorithms and key exchange
> algorithms according https://stribika.github.io/2015/01/04/secure-secure-
> shell.html .

I can agree to that.

> For the kex algo "diffie-hellman-group-exchange-sha256", an intact
> SSH moduli file is required. To make sure we are not falling back
> to insecure crypto here, its presence is checked at SSH startup.

This could have been a separate patch.

> On my machines, this file was already there, but it makes sense to
> me to double-check this. This patch should not make problems except
> for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.
> 
> This partially addresses #11538 and requires patch 2/3.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/rootfiles/core/121/update.sh |  6 +++++-
>  lfs/openssh                         |  4 ++++
>  src/initscripts/system/sshd         | 12 ++++++++++++
>  3 files changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/config/rootfiles/core/121/update.sh
> b/config/rootfiles/core/121/update.sh
> index 3ec251292..99c174156 100644
> --- a/config/rootfiles/core/121/update.sh
> +++ b/config/rootfiles/core/121/update.sh
> @@ -60,7 +60,11 @@ rm -rvf \
>  sed -i /etc/ssh/sshd_config \
>  	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>  	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> -	-e 's/^#StrictModes .*$/StrictModes yes/'
> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> +	-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305(a)openssh.co
> m,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-
> ctr\
> +			MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm@
> openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)open
> ssh.com\
> +			KexAlgorithms curve25519-sha256(a)libssh.org,diffie-
> hellman-group-exchange-sha256\
> +			#RekeyLimit default none/'

The sed is ugly (more below), how can we know this will be properly applied to
all systems?

sed can add lines without looking for something else to replace something. You
can also match a string and append more after it and use & as a wildcard to re-
insert the matched content. 

>  # Start services
>  /etc/init.d/sshd restart
> diff --git a/lfs/openssh b/lfs/openssh
> index 7e8468ac9..3043501a2 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
>  		-e 's/^#StrictModes .*$/StrictModes yes/' \
> +		-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305(a)op
> enssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-
> ctr,aes128-ctr\
> +			MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm@
> openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)open
> ssh.com\
> +			KexAlgorithms curve25519-sha256(a)libssh.org,diffie-
> hellman-group-exchange-sha256\
> +			#RekeyLimit default none/' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \

I think we should urgently move away from changing the default configuration
like this. This is hard to read, might change lines in future versions that we
do not intend, etc. This is just not a good way to modify a file.

Would you please add a fresh file with only the directives that we want/need?

> diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
> index 7b4092d38..d7958e800 100644
> --- a/src/initscripts/system/sshd
> +++ b/src/initscripts/system/sshd
> @@ -23,6 +23,18 @@ case "$1" in
>  		evaluate_retval
>  	done
>  
> +	# Make sure moduli file is properly present
> +	# (https://stribika.github.io/2015/01/04/secure-secure-shell.html)
> +	modulifile="/etc/ssh/moduli"
> +	if [ ! -e "${modulifile}" ]; then
> +		boot_mesg "Generating SSH moduli file (this may take a
> while)..."
> +
> +		ssh-keygen -G /etc/ssh/moduli.all -b 4096
> +		ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
> +		mv /etc/ssh/moduli.safe /etc/ssh/moduli
> +		rm -f /etc/ssh/moduli.all
> +	fi
> +

How long will this take? We support systems with very slow processors. I have
been running this for the past 10 minutes on my desktop machine which has some
Intel i5 processor. This is already too long.

Are there any alternatives instead of creating this with 4096 bits of length on
the target machines?

>          [ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not enabled
>          boot_mesg "Starting SSH Server..."
>          loadproc /usr/sbin/sshd 

- -Michael
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlr+2IwACgkQgHnw/2+Q
CQduMA//YlCIN/3bmPSS11jurJQFCy6p3QdqbGuuR09tefEKNZ1w5KXxMili5Vsm
tW/is9VoLcB66jEVSn9osAKZ7yRkr99Z7eic+OJVdjodmkGz64KNSIbz0mYTqt+t
0sYADY+F9G+AYwR4WcJviRxOIzCKO7xvdc9ZNRTg1jGzutztJnhwAByO2JGn9HCE
9D1SM7PHNa55TB/7RcZuFn6Y9P1JUfSmwdA/bwyC4oS8znePu/+uRcK1+L+lnXQ8
tEJTs2Daq3icwAVdfUbdW6+zuCjsEvkkwjmQ4opI9twD9q33x7QZkd4/9+yW84pa
BBwTFaRUGmSSmca+7HH08KdHpvrXgnmE9X798JTRGJO8zMc0V6yO79Ta8TJG3H5k
nihprEhxFBTlQ+iWof9aNMH9zFFQKtLP0QzgB1jdgXMMtrx86pTOwIVlPx7loUo5
eTAgZaSE8Sjvo1iarKyfSfqjo8ZlcIpdGKeE1lsiCcIfA1jpe+uy0hHgiWiFHKwe
Rdzz7q4ZIo3s9Dyv0vECOvoPWxQUE9jQT5o05vY9m3uEZv4VrjC1rzCqY1iW8Rj5
E9hGt72MfpKNESXwcDhqTjYC9h0dm2ip7W7xFoJ6rwwvECjEA0n+B9STpVXi8NJh
hMbLkwZ1POTojtHFZwFo5AJ0cQuricWVLzn5oA7bOZkf8Pg82+I=
=u/E+
-----END PGP SIGNATURE-----