* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 67345f56657db75e6ec6c0ea1ba21c3bc03acaef
@ 2020-03-26 17:42 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-03-26 17:42 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 11189 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 67345f56657db75e6ec6c0ea1ba21c3bc03acaef (commit)
via 0017b688e88a7ef89161ba8a803990b02ff05413 (commit)
via 57302eeb16c73fdbebc23c5cd58c042fc2d77f9b (commit)
via 3fd3f4de44df53d631937ec137078eb8c0328bd4 (commit)
from a48d35f3ff4ff0651ea155bfc5ffabfc85cc7978 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 67345f56657db75e6ec6c0ea1ba21c3bc03acaef
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Mar 26 17:41:57 2020 +0000
core143: add openssh
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0017b688e88a7ef89161ba8a803990b02ff05413
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jan 20 20:05:00 2020 +0000
ssh_config: Do not set defaults explicitly
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 57302eeb16c73fdbebc23c5cd58c042fc2d77f9b
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Jan 20 20:04:00 2020 +0000
sshd_config: Do not set defaults explicitly
In order to keep configurations as small as possible and to make them
easier to read/audit, this patch omits all default configuration in the
OpenSSH server configuration file.
Further, it mentions where to refer for the full documentation.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 3fd3f4de44df53d631937ec137078eb8c0328bd4
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Mar 21 20:08:00 2020 +0000
OpenSSH: update to 8.2p1
Please refer to https://www.openssh.com/txt/release-8.2 for release
announcements. Since glibc < 2.31 is used, no additional patching was
required in order to restore correct login functionality.
Cc: Marcel Lorenz <marcel.lorenz(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/openssh | 2 +
.../{oldcore/100 => core/143}/filelists/openssh | 0
config/ssh/ssh_config | 27 +++++-----
config/ssh/sshd_config | 62 +++++++---------------
lfs/openssh | 6 +--
5 files changed, 38 insertions(+), 59 deletions(-)
copy config/rootfiles/{oldcore/100 => core/143}/filelists/openssh (100%)
Difference in files:
diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh
index b41190a47..f2f8ea6c5 100644
--- a/config/rootfiles/common/openssh
+++ b/config/rootfiles/common/openssh
@@ -21,6 +21,7 @@ usr/bin/ssh-keyscan
usr/lib/openssh/sftp-server
usr/lib/openssh/ssh-keysign
usr/lib/openssh/ssh-pkcs11-helper
+usr/lib/openssh/ssh-sk-helper
usr/sbin/sshd
#usr/share/man/man1/scp.1
#usr/share/man/man1/sftp.1
@@ -35,4 +36,5 @@ usr/sbin/sshd
#usr/share/man/man8/sftp-server.8
#usr/share/man/man8/ssh-keysign.8
#usr/share/man/man8/ssh-pkcs11-helper.8
+#usr/share/man/man8/ssh-sk-helper.8
#usr/share/man/man8/sshd.8
diff --git a/config/rootfiles/core/143/filelists/openssh b/config/rootfiles/core/143/filelists/openssh
new file mode 120000
index 000000000..d8c77fd8e
--- /dev/null
+++ b/config/rootfiles/core/143/filelists/openssh
@@ -0,0 +1 @@
+../../../common/openssh
\ No newline at end of file
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index 2abfae6d1..2e2ee60c3 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -1,33 +1,32 @@
-# OpenSSH client configuration
+# OpenSSH client configuration file for IPFire
#
-# set some basic hardening options for all connections
+# The full documentation is available at: https://man.openbsd.org/ssh_config
+#
+
+# Set some basic hardening options for all connections
Host *
- # disable Roaming as it is known to be vulnerable
+ # Disable Roaming as it is known to be vulnerable
UseRoaming no
- # only use secure crypto algorithm
+ # Only use secure crypto algorithms
KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
- # always visualise server host keys (has no technical
- # effect, but helps to identify key based MITM attacks)
+ # Always visualise server host keys (but helps to identify key based MITM attacks)
VisualHostKey yes
- # use SSHFP (might work on some up-to-date networks) to look up host keys
+ # Use SSHFP (might work on some up-to-date networks) to look up host keys
VerifyHostKeyDNS yes
# send keep-alive messages to connected server to avoid broken connections
ServerAliveInterval 10
ServerAliveCountMax 6
- # disable X11 forwarding (security risk)
- ForwardX11 no
-
- # always check server IP address
- CheckHostIP yes
-
- # ensure only allowed authentication methods are used
+ # Ensure only allowed authentication methods are used
PreferredAuthentications publickey,keyboard-interactive,password
+ # Prevent information leak by hashing ~/.ssh/known_hosts
+ HashKnownHosts yes
+
# EOF
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index a248c4906..bea5cee53 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -1,81 +1,59 @@
-# ultra-secure OpenSSH server configuration
+# OpenSSH server configuration file for IPFire
+#
+# The full documentation is available at: https://man.openbsd.org/sshd_config
+#
-# only allow version 2 of SSH protocol
+# Only allow version 2 of SSH protocol
Protocol 2
-# listen on port 22 by default
+# Listen on port 22 by default
Port 22
-# listen on these interfaces and protocols
-AddressFamily any
+# Listen on every interface and IPv4 only
+AddressFamily inet
ListenAddress 0.0.0.0
-# limit authentication thresholds
+# Limit authentication timeout to 30 seconds
LoginGraceTime 30s
-MaxAuthTries 6
-# limit maximum instanctes to prevent DoS
+# Limit maximum instanctes to prevent DoS
MaxStartups 5
-# ensure proper logging
-SyslogFacility AUTH
-LogLevel INFO
-
-# enforce permission checks before a login is accepted
-# (prevents damage because of hacked systems with world-writeable
-# home directories or similar)
-StrictModes yes
-
-# only allow safe crypto algorithms (may break some _very_ outdated clients)
-# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+# Only allow safe crypto algorithms (may break some _very_ outdated clients)
+# See also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
-# enable data compression after successful login only
-Compression delayed
-
-# only allow cryptographically safe SSH host keys (adjust paths if needed)
+# Only allow cryptographically safe SSH host keys (adjust paths if needed)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
-# only allow login via public key by default
+# Only allow login via public key by default
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
-PermitEmptyPasswords no
-# permit root login as there is no other user in IPFire 2.x
+# Permit root login as there is no other user in IPFire 2.x
PermitRootLogin yes
-# ignore user ~/.rhost* files
-IgnoreRhosts yes
-
-# ignore user known hosts file
+# Ignore user ~/.ssh/known_hosts file
IgnoreUserKnownHosts yes
-# ignore user environments
-PermitUserEnvironment no
-
-# do not allow any kind of forwarding (provides only low security)
+# Do not allow any kind of forwarding (provides only low security);
# some of them might need to be re-enabled if SSH server is a jump platform
-X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
-PermitTunnel no
-GatewayPorts no
PermitOpen none
-# detect broken sessions by sending keep-alive messages to
-# clients (both via TCP and SSH)
-TCPKeepAlive yes
+# Detect broken sessions by sending keep-alive messages to clients via SSH connection
ClientAliveInterval 10
-# close unresponsive SSH sessions which fail to answer keep-alive
+# Close unresponsive SSH sessions which fail to answer keep-alive
ClientAliveCountMax 6
-# add support for SFTP
+# Add support for SFTP
Subsystem sftp /usr/lib/openssh/sftp-server
# EOF
diff --git a/lfs/openssh b/lfs/openssh
index 64e72d654..68a7d63cd 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 8.1p1
+VER = 8.2p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 513694343631a99841e815306806edf0
+$(DL_FILE)_MD5 = 3076e6413e8dbe56d33848c1054ac091
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-26 17:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-26 17:42 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 67345f56657db75e6ec6c0ea1ba21c3bc03acaef Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox