Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes: - never accept empty passwords for authentication - make sure OpenSSH always logs properly - make sure permissions of .ssh/authorized_keys are checked (StrictModes) - limit maximum concurring sessions to 5 - make sure custom rhosts files are always ignored - limit maximum authentication tries to 3
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' + # Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ -e 's|^#?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \