This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 67345f56657db75e6ec6c0ea1ba21c3bc03acaef (commit) via 0017b688e88a7ef89161ba8a803990b02ff05413 (commit) via 57302eeb16c73fdbebc23c5cd58c042fc2d77f9b (commit) via 3fd3f4de44df53d631937ec137078eb8c0328bd4 (commit) from a48d35f3ff4ff0651ea155bfc5ffabfc85cc7978 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 67345f56657db75e6ec6c0ea1ba21c3bc03acaef Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Mar 26 17:41:57 2020 +0000
core143: add openssh
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0017b688e88a7ef89161ba8a803990b02ff05413 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jan 20 20:05:00 2020 +0000
ssh_config: Do not set defaults explicitly
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 57302eeb16c73fdbebc23c5cd58c042fc2d77f9b Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jan 20 20:04:00 2020 +0000
sshd_config: Do not set defaults explicitly
In order to keep configurations as small as possible and to make them easier to read/audit, this patch omits all default configuration in the OpenSSH server configuration file.
Further, it mentions where to refer for the full documentation.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3fd3f4de44df53d631937ec137078eb8c0328bd4 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Mar 21 20:08:00 2020 +0000
OpenSSH: update to 8.2p1
Please refer to https://www.openssh.com/txt/release-8.2 for release announcements. Since glibc < 2.31 is used, no additional patching was required in order to restore correct login functionality.
Cc: Marcel Lorenz marcel.lorenz@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/openssh | 2 + .../{oldcore/100 => core/143}/filelists/openssh | 0 config/ssh/ssh_config | 27 +++++----- config/ssh/sshd_config | 62 +++++++--------------- lfs/openssh | 6 +-- 5 files changed, 38 insertions(+), 59 deletions(-) copy config/rootfiles/{oldcore/100 => core/143}/filelists/openssh (100%)
Difference in files: diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index b41190a47..f2f8ea6c5 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -21,6 +21,7 @@ usr/bin/ssh-keyscan usr/lib/openssh/sftp-server usr/lib/openssh/ssh-keysign usr/lib/openssh/ssh-pkcs11-helper +usr/lib/openssh/ssh-sk-helper usr/sbin/sshd #usr/share/man/man1/scp.1 #usr/share/man/man1/sftp.1 @@ -35,4 +36,5 @@ usr/sbin/sshd #usr/share/man/man8/sftp-server.8 #usr/share/man/man8/ssh-keysign.8 #usr/share/man/man8/ssh-pkcs11-helper.8 +#usr/share/man/man8/ssh-sk-helper.8 #usr/share/man/man8/sshd.8 diff --git a/config/rootfiles/core/143/filelists/openssh b/config/rootfiles/core/143/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/143/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2abfae6d1..2e2ee60c3 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -1,33 +1,32 @@ -# OpenSSH client configuration +# OpenSSH client configuration file for IPFire # -# set some basic hardening options for all connections +# The full documentation is available at: https://man.openbsd.org/ssh_config +# + +# Set some basic hardening options for all connections Host * - # disable Roaming as it is known to be vulnerable + # Disable Roaming as it is known to be vulnerable UseRoaming no
- # only use secure crypto algorithm + # Only use secure crypto algorithms KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- # always visualise server host keys (has no technical - # effect, but helps to identify key based MITM attacks) + # Always visualise server host keys (but helps to identify key based MITM attacks) VisualHostKey yes
- # use SSHFP (might work on some up-to-date networks) to look up host keys + # Use SSHFP (might work on some up-to-date networks) to look up host keys VerifyHostKeyDNS yes
# send keep-alive messages to connected server to avoid broken connections ServerAliveInterval 10 ServerAliveCountMax 6
- # disable X11 forwarding (security risk) - ForwardX11 no - - # always check server IP address - CheckHostIP yes - - # ensure only allowed authentication methods are used + # Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password
+ # Prevent information leak by hashing ~/.ssh/known_hosts + HashKnownHosts yes + # EOF diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index a248c4906..bea5cee53 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -1,81 +1,59 @@ -# ultra-secure OpenSSH server configuration +# OpenSSH server configuration file for IPFire +# +# The full documentation is available at: https://man.openbsd.org/sshd_config +#
-# only allow version 2 of SSH protocol +# Only allow version 2 of SSH protocol Protocol 2
-# listen on port 22 by default +# Listen on port 22 by default Port 22
-# listen on these interfaces and protocols -AddressFamily any +# Listen on every interface and IPv4 only +AddressFamily inet ListenAddress 0.0.0.0
-# limit authentication thresholds +# Limit authentication timeout to 30 seconds LoginGraceTime 30s -MaxAuthTries 6
-# limit maximum instanctes to prevent DoS +# Limit maximum instanctes to prevent DoS MaxStartups 5
-# ensure proper logging -SyslogFacility AUTH -LogLevel INFO - -# enforce permission checks before a login is accepted -# (prevents damage because of hacked systems with world-writeable -# home directories or similar) -StrictModes yes - -# only allow safe crypto algorithms (may break some _very_ outdated clients) -# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +# Only allow safe crypto algorithms (may break some _very_ outdated clients) +# See also: https://stribika.github.io/2015/01/04/secure-secure-shell.html KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-# enable data compression after successful login only -Compression delayed - -# only allow cryptographically safe SSH host keys (adjust paths if needed) +# Only allow cryptographically safe SSH host keys (adjust paths if needed) HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_rsa_key
-# only allow login via public key by default +# Only allow login via public key by default PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no -PermitEmptyPasswords no
-# permit root login as there is no other user in IPFire 2.x +# Permit root login as there is no other user in IPFire 2.x PermitRootLogin yes
-# ignore user ~/.rhost* files -IgnoreRhosts yes - -# ignore user known hosts file +# Ignore user ~/.ssh/known_hosts file IgnoreUserKnownHosts yes
-# ignore user environments -PermitUserEnvironment no - -# do not allow any kind of forwarding (provides only low security) +# Do not allow any kind of forwarding (provides only low security); # some of them might need to be re-enabled if SSH server is a jump platform -X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no -PermitTunnel no -GatewayPorts no PermitOpen none
-# detect broken sessions by sending keep-alive messages to -# clients (both via TCP and SSH) -TCPKeepAlive yes +# Detect broken sessions by sending keep-alive messages to clients via SSH connection ClientAliveInterval 10
-# close unresponsive SSH sessions which fail to answer keep-alive +# Close unresponsive SSH sessions which fail to answer keep-alive ClientAliveCountMax 6
-# add support for SFTP +# Add support for SFTP Subsystem sftp /usr/lib/openssh/sftp-server
# EOF diff --git a/lfs/openssh b/lfs/openssh index 64e72d654..68a7d63cd 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 8.1p1 +VER = 8.2p1
THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0 +$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree