In order to harden OpenSSH server in IPFire, using the upstream default configuration and edit it via sed commands in LFS file is error-prone and does not scale.
Thereof we ship a custom and more secure OpenSSH server configuration which is copied into the image during build time.
The third version of this patch corrects default value where no root login was possible (default is "prohibit-password") on default installations. It also enables password-based authentication by default so rewriting this during startup becomes obsolete.
Fixes #11750 Fixes #11751 Partially fixes #11538
Signed-off-by: Peter Müller peter.mueller@link38.eu Cc: Marcel Lorenz marcel.lorenz@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org --- config/ssh/sshd_config | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 config/ssh/sshd_config
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config new file mode 100644 index 000000000..8b8e042c4 --- /dev/null +++ b/config/ssh/sshd_config @@ -0,0 +1,82 @@ +# ultra-secure OpenSSH server configuration + +# only allow version 2 of SSH protocol +Protocol 2 + +# listen on port 22 by default +Port 22 + +# listen on these interfaces and protocols +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +# limit authentication thresholds +LoginGraceTime 30s +MaxAuthTries 3 + +# limit maximum instanctes to prevent DoS +MaxStartups 5 + +# ensure proper logging +SyslogFacility AUTH +LogLevel INFO + +# enforce permission checks before a login is accepted +# (prevents damage because of hacked systems with world-writeable +# home directories or similar) +StrictModes yes + +# only allow safe crypto algorithms (may break some _very_ outdated clients) +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# enable data compression after successful login only +Compression delayed + +# only allow cryptographically safe SSH host keys (adjust paths if needed) +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_rsa_key + +# only allow login via public key by default +PubkeyAuthentication yes +PasswordAuthentication yes +ChallengeResponseAuthentication no +PermitEmptyPasswords no + +# permit root login as there is no other user in IPFire 2.x +PermitRootLogin yes + +# specify preferred authentication methods (public keys come first) +AuthenticationMethods publickey,password + +# ignore user ~/.rhost* files +IgnoreRhosts yes + +# ignore user known hosts file +IgnoreUserKnownHosts yes + +# ignore user environments +PermitUserEnvironment no + +# do not allow any kind of forwarding (provides only low security) +# some of them might need to be re-enabled if SSH server is a jump platform +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitTunnel no +GatewayPorts no +PermitOpen none + +# detect broken sessions by sending keep-alive messages to +# clients (both via TCP and SSH) +TCPKeepAlive yes +ClientAliveInterval 10 + +# close unresponsive SSH sessions which fail to answer keep-alive +ClientAliveCountMax 6 + +# EOF
On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
In order to harden OpenSSH server in IPFire, using the upstream default configuration and edit it via sed commands in LFS file is error-prone and does not scale.
Thereof we ship a custom and more secure OpenSSH server configuration which is copied into the image during build time.
The third version of this patch corrects default value where no root login was possible (default is "prohibit-password") on default installations. It also enables password-based authentication by default so rewriting this during startup becomes obsolete.
Fixes #11750 Fixes #11751 Partially fixes #11538
Signed-off-by: Peter Müller peter.mueller@link38.eu Cc: Marcel Lorenz marcel.lorenz@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
config/ssh/sshd_config | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 config/ssh/sshd_config
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config new file mode 100644 index 000000000..8b8e042c4 --- /dev/null +++ b/config/ssh/sshd_config @@ -0,0 +1,82 @@ +# ultra-secure OpenSSH server configuration
+# only allow version 2 of SSH protocol +Protocol 2
+# listen on port 22 by default +Port 22
+# listen on these interfaces and protocols +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress ::
+# limit authentication thresholds +LoginGraceTime 30s +MaxAuthTries 3
+# limit maximum instanctes to prevent DoS +MaxStartups 5
+# ensure proper logging +SyslogFacility AUTH +LogLevel INFO
+# enforce permission checks before a login is accepted +# (prevents damage because of hacked systems with world-writeable +# home directories or similar) +StrictModes yes
+# only allow safe crypto algorithms (may break some _very_ outdated clients) +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+# enable data compression after successful login only +Compression delayed
+# only allow cryptographically safe SSH host keys (adjust paths if needed) +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_rsa_key
+# only allow login via public key by default +PubkeyAuthentication yes +PasswordAuthentication yes
We cannot enable PasswordAuthentication in the image by default.
+ChallengeResponseAuthentication no +PermitEmptyPasswords no
+# permit root login as there is no other user in IPFire 2.x +PermitRootLogin yes
+# specify preferred authentication methods (public keys come first) +AuthenticationMethods publickey,password
+# ignore user ~/.rhost* files +IgnoreRhosts yes
+# ignore user known hosts file +IgnoreUserKnownHosts yes
+# ignore user environments +PermitUserEnvironment no
+# do not allow any kind of forwarding (provides only low security) +# some of them might need to be re-enabled if SSH server is a jump platform +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitTunnel no +GatewayPorts no +PermitOpen none
+# detect broken sessions by sending keep-alive messages to +# clients (both via TCP and SSH) +TCPKeepAlive yes +ClientAliveInterval 10
+# close unresponsive SSH sessions which fail to answer keep-alive +ClientAliveCountMax 6
+# EOF
On Sun, 2018-09-09 at 18:24 +0100, Michael Tremer wrote:
On Sun, 2018-09-09 at 18:47 +0200, Peter Müller wrote:
In order to harden OpenSSH server in IPFire, using the upstream default configuration and edit it via sed commands in LFS file is error-prone and does not scale.
Thereof we ship a custom and more secure OpenSSH server configuration which is copied into the image during build time.
The third version of this patch corrects default value where no root login was possible (default is "prohibit-password") on default installations. It also enables password-based authentication by default so rewriting this during startup becomes obsolete.
Fixes #11750 Fixes #11751 Partially fixes #11538
Signed-off-by: Peter Müller peter.mueller@link38.eu Cc: Marcel Lorenz marcel.lorenz@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org
config/ssh/sshd_config | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 config/ssh/sshd_config
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config new file mode 100644 index 000000000..8b8e042c4 --- /dev/null +++ b/config/ssh/sshd_config @@ -0,0 +1,82 @@ +# ultra-secure OpenSSH server configuration
+# only allow version 2 of SSH protocol +Protocol 2
+# listen on port 22 by default +Port 22
+# listen on these interfaces and protocols +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress ::
+# limit authentication thresholds +LoginGraceTime 30s +MaxAuthTries 3
Unfortunately I overlooked this line which rendered the final image of Core 124 unusable. With my three host keys, I did not get the password login prompt and could not login.
This is a huge usability issue and therefore I changed it back to the default of 6.
The current update on the servers ships this change and might render SSH login impossible for some users. Arne is rebuilding the whole release right now and will distribute new images soon.
More details are in my commit message:
https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=0a5823db023c32135b1c...
-Michael
+# limit maximum instanctes to prevent DoS +MaxStartups 5
+# ensure proper logging +SyslogFacility AUTH +LogLevel INFO
+# enforce permission checks before a login is accepted +# (prevents damage because of hacked systems with world-writeable +# home directories or similar) +StrictModes yes
+# only allow safe crypto algorithms (may break some _very_ outdated clients) +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+# enable data compression after successful login only +Compression delayed
+# only allow cryptographically safe SSH host keys (adjust paths if needed) +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_rsa_key
+# only allow login via public key by default +PubkeyAuthentication yes +PasswordAuthentication yes
We cannot enable PasswordAuthentication in the image by default.
+ChallengeResponseAuthentication no +PermitEmptyPasswords no
+# permit root login as there is no other user in IPFire 2.x +PermitRootLogin yes
+# specify preferred authentication methods (public keys come first) +AuthenticationMethods publickey,password
+# ignore user ~/.rhost* files +IgnoreRhosts yes
+# ignore user known hosts file +IgnoreUserKnownHosts yes
+# ignore user environments +PermitUserEnvironment no
+# do not allow any kind of forwarding (provides only low security) +# some of them might need to be re-enabled if SSH server is a jump platform +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitTunnel no +GatewayPorts no +PermitOpen none
+# detect broken sessions by sending keep-alive messages to +# clients (both via TCP and SSH) +TCPKeepAlive yes +ClientAliveInterval 10
+# close unresponsive SSH sessions which fail to answer keep-alive +ClientAliveCountMax 6
+# EOF
-
Michael Tremer -
Peter Müller