Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes: - never accept empty passwords for authentication - make sure OpenSSH always logs properly - make sure permissions of .ssh/authorized_keys are checked (StrictModes) - limit maximum concurring sessions to 5 - make sure custom rhosts files are always ignored - limit maximum authentication tries to 3
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' + # Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ -e 's|^#?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
Hi,
I need more explanation to understand and accept this patch. You are very often just stating what you are doing but not why.
On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
That was default. No change needed really.
- make sure OpenSSH always logs properly
What went wrong before?
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
ACK.
- limit maximum concurring sessions to 5
???
- make sure custom rhosts files are always ignored
That was default as well
- limit maximum authentication tries to 3
This is also default.
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Expected?
There is no need to stop the ssh daemon when running the update. That will cause that users who are running the update via SSH are losing their connection.
A restart at the very end is sufficient.
-Michael
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \
- -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
- -e 's/^#LogLevel INFO$/LogLevel INFO/' \
- -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
- -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
- -e 's/^#StrictModes .*$/StrictModes yes/' \
- -e 's/^#MaxSessions .*$/MaxSessions 5/' \
- -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
# Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \
-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \-e 's/^#LogLevel INFO$/LogLevel INFO/' \-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \-e 's/^#StrictModes .*$/StrictModes yes/' \-e 's/^#MaxSessions .*$/MaxSessions 5/' \-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
Hello Michael,
Hi,
I need more explanation to understand and accept this patch. You are very often just stating what you are doing but not why.
Okay, thanks for the hint.
The intention here is to solve all items listed at https://bugzilla.ipfire.org/show_bug.cgi?id=11538 . Some of them are enabled by default already, as you mentioned below, but I do not consider default values very stable and want to make sure the settings we/I wish are really applied.
Since the item list in #11538 is quite mixed, I consider it a better idea to send in a patch for each one so we can argue about each patch separately and the whole thing does not break down because of one singe patch not being applied. :-)
By the way: There were some commits (updated NRPE, ca-certificates) you merged the other day. Is there a reason why they are not showing up at Git? Sorry for being impatient here.
Best regards, Peter Müller
On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
That was default. No change needed really.
- make sure OpenSSH always logs properly
What went wrong before?
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
ACK.
OK.
- limit maximum concurring sessions to 5
???
- make sure custom rhosts files are always ignored
That was default as well
- limit maximum authentication tries to 3
This is also default.
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Expected?
There is no need to stop the ssh daemon when running the update. That will cause that users who are running the update via SSH are losing their connection.
Thanks. Will include that in a second version of this patch.
A restart at the very end is sufficient.
-Michael
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \
- -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
- -e 's/^#LogLevel INFO$/LogLevel INFO/' \
- -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
- -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
- -e 's/^#StrictModes .*$/StrictModes yes/' \
- -e 's/^#MaxSessions .*$/MaxSessions 5/' \
- -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
# Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \
-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \-e 's/^#LogLevel INFO$/LogLevel INFO/' \-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \-e 's/^#StrictModes .*$/StrictModes yes/' \-e 's/^#MaxSessions .*$/MaxSessions 5/' \-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, 2018-05-01 at 14:27 +0200, Peter Müller wrote:
Hello Michael,
Hi,
I need more explanation to understand and accept this patch. You are very often just stating what you are doing but not why.
Okay, thanks for the hint.
The intention here is to solve all items listed at https://bugzilla.ipfire.org /show_bug.cgi?id=11538 . Some of them are enabled by default already, as you mentioned below, but I do not consider default values very stable and want to make sure the settings we/I wish are really applied.
Since the item list in #11538 is quite mixed, I consider it a better idea to send in a patch for each one so we can argue about each patch separately and the whole thing does not break down because of one singe patch not being applied. :-)
That's *always* the way to go.
By the way: There were some commits (updated NRPE, ca-certificates) you merged the other day. Is there a reason why they are not showing up at Git? Sorry for being impatient here.
Best regards, Peter Müller
On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
That was default. No change needed really.
- make sure OpenSSH always logs properly
What went wrong before?
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
ACK.
OK.
- limit maximum concurring sessions to 5
???
- make sure custom rhosts files are always ignored
That was default as well
- limit maximum authentication tries to 3
This is also default.
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Expected?
There is no need to stop the ssh daemon when running the update. That will cause that users who are running the update via SSH are losing their connection.
Thanks. Will include that in a second version of this patch.
A restart at the very end is sufficient.
-Michael
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \
- -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
- -e 's/^#LogLevel INFO$/LogLevel INFO/' \
- -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
- -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
- -e 's/^#StrictModes .*$/StrictModes yes/' \
- -e 's/^#MaxSessions .*$/MaxSessions 5/' \
- -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
# Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \
-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/'\
-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \-e 's/^#LogLevel INFO$/LogLevel INFO/' \\ -e 's/^#?PermitRootLogin .*$$/PermitRootLogin yes/' \
-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswordsno/' \
-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \-e 's/^#StrictModes .*$/StrictModes yes/' \-e 's/^#MaxSessions .*$/MaxSessions 5/' \-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
-
Michael Tremer -
Peter Müller