harden authentication and logging in OpenSSH server configuration

Message ID 45328527-782f-5737-5207-ca6936b5ece7@link38.eu
State Superseded
Headers
Series harden authentication and logging in OpenSSH server configuration |

Commit Message

Peter Müller April 29, 2018, 7:16 p.m. UTC
  Update some values in the OpenSSH server configuration at
/etc/ssh/sshd_config to secure values. Changes are also applied
on existing installations via update.sh script.

This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
- make sure OpenSSH always logs properly
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
- limit maximum concurring sessions to 5
- make sure custom rhosts files are always ignored
- limit maximum authentication tries to 3

The logging options were not applied during build correctly,
which is fixed now. Changes are not expected to break existing
systems.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh | 12 ++++++++++++
 lfs/openssh                         |  9 +++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
  

Comments

Michael Tremer April 30, 2018, 9:07 p.m. UTC | #1
Hi,

I need more explanation to understand and accept this patch. You are very often
just stating what you are doing but not why.

On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
> Update some values in the OpenSSH server configuration at
> /etc/ssh/sshd_config to secure values. Changes are also applied
> on existing installations via update.sh script.
> 
> This partly solves #11538 and performs these changes:
> - never accept empty passwords for authentication

That was default. No change needed really.

> - make sure OpenSSH always logs properly

What went wrong before?

> - make sure permissions of .ssh/authorized_keys are checked (StrictModes)

ACK.

> - limit maximum concurring sessions to 5

???

> - make sure custom rhosts files are always ignored

That was default as well

> - limit maximum authentication tries to 3

This is also default.

> The logging options were not applied during build correctly,
> which is fixed now. Changes are not expected to break existing
> systems.

Expected?

There is no need to stop the ssh daemon when running the update. That will cause
that users who are running the update via SSH are losing their connection.

A restart at the very end is sufficient.

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/rootfiles/core/121/update.sh | 12 ++++++++++++
>  lfs/openssh                         |  9 +++++++--
>  2 files changed, 19 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/core/121/update.sh
> b/config/rootfiles/core/121/update.sh
> index 87d5f6ebd..d3ceb84aa 100644
> --- a/config/rootfiles/core/121/update.sh
> +++ b/config/rootfiles/core/121/update.sh
> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
>  done
>  
>  # Stop services
> +/etc/init.d/sshd stop
>  
>  # Extract files
>  extract_files
> @@ -56,8 +57,19 @@ rm -rvf \
>  	/usr/share/nagios/ \
>  	/var/nagios/
>  
> +# Update SSH configuration
> +sed -i /etc/ssh/sshd_config \
> +	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> +	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> +	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
> +	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> +	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
> +	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
> +
>  # Start services
>  /etc/init.d/apache restart
> +/etc/init.d/sshd start
>  
>  # This update needs a reboot...
>  touch /var/run/need_reboot
> diff --git a/lfs/openssh b/lfs/openssh
> index 203446370..90279ac98 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts
> yes/' \
>  		-e 's/^#\?UsePAM .*$$//' \
>  		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
> -		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
> -		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
> +		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> +		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
> +		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
> +		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
> +		-e 's/^#StrictModes .*$/StrictModes yes/' \
> +		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
> +		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
  
Peter Müller May 1, 2018, 10:27 p.m. UTC | #2
Hello Michael,
> Hi,
> 
> I need more explanation to understand and accept this patch. You are very often
> just stating what you are doing but not why.
Okay, thanks for the hint.

The intention here is to solve all items listed at https://bugzilla.ipfire.org/show_bug.cgi?id=11538 .
Some of them are enabled by default already, as you mentioned below, but I do not
consider default values very stable and want to make sure the settings we/I wish
are really applied.

Since the item list in #11538 is quite mixed, I consider it a better idea to send
in a patch for each one so we can argue about each patch separately and the whole
thing does not break down because of one singe patch not being applied. :-)

By the way: There were some commits (updated NRPE, ca-certificates) you merged
the other day. Is there a reason why they are not showing up at Git? Sorry for
being impatient here.

Best regards,
Peter Müller

> 
> On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
>> Update some values in the OpenSSH server configuration at
>> /etc/ssh/sshd_config to secure values. Changes are also applied
>> on existing installations via update.sh script.
>>
>> This partly solves #11538 and performs these changes:
>> - never accept empty passwords for authentication
> 
> That was default. No change needed really.
> 
>> - make sure OpenSSH always logs properly
> 
> What went wrong before?
> 
>> - make sure permissions of .ssh/authorized_keys are checked (StrictModes)
> 
> ACK.
OK.
> 
>> - limit maximum concurring sessions to 5
> 
> ???
> 
>> - make sure custom rhosts files are always ignored
> 
> That was default as well
> 
>> - limit maximum authentication tries to 3
> 
> This is also default.
> 
>> The logging options were not applied during build correctly,
>> which is fixed now. Changes are not expected to break existing
>> systems.
> 
> Expected?
> 
> There is no need to stop the ssh daemon when running the update. That will cause
> that users who are running the update via SSH are losing their connection.
Thanks. Will include that in a second version of this patch.
> 
> A restart at the very end is sufficient.
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
>> ---
>>  config/rootfiles/core/121/update.sh | 12 ++++++++++++
>>  lfs/openssh                         |  9 +++++++--
>>  2 files changed, 19 insertions(+), 2 deletions(-)
>>
>> diff --git a/config/rootfiles/core/121/update.sh
>> b/config/rootfiles/core/121/update.sh
>> index 87d5f6ebd..d3ceb84aa 100644
>> --- a/config/rootfiles/core/121/update.sh
>> +++ b/config/rootfiles/core/121/update.sh
>> @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
>>  done
>>  
>>  # Stop services
>> +/etc/init.d/sshd stop
>>  
>>  # Extract files
>>  extract_files
>> @@ -56,8 +57,19 @@ rm -rvf \
>>  	/usr/share/nagios/ \
>>  	/var/nagios/
>>  
>> +# Update SSH configuration
>> +sed -i /etc/ssh/sshd_config \
>> +	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>> +	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>> +	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
>> +	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
>> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
>> +	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
>> +	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
>> +
>>  # Start services
>>  /etc/init.d/apache restart
>> +/etc/init.d/sshd start
>>  
>>  # This update needs a reboot...
>>  touch /var/run/need_reboot
>> diff --git a/lfs/openssh b/lfs/openssh
>> index 203446370..90279ac98 100644
>> --- a/lfs/openssh
>> +++ b/lfs/openssh
>> @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts
>> yes/' \
>>  		-e 's/^#\?UsePAM .*$$//' \
>>  		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
>> -		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
>> -		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
>> +		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>> +		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
>> +		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
>> +		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
>> +		-e 's/^#StrictModes .*$/StrictModes yes/' \
>> +		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
>> +		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
  
Michael Tremer May 30, 2018, 9:26 p.m. UTC | #3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, 2018-05-01 at 14:27 +0200, Peter Müller wrote:
> Hello Michael,
> > Hi,
> > 
> > I need more explanation to understand and accept this patch. You are very
> > often
> > just stating what you are doing but not why.
> 
> Okay, thanks for the hint.
> 
> The intention here is to solve all items listed at https://bugzilla.ipfire.org
> /show_bug.cgi?id=11538 .
> Some of them are enabled by default already, as you mentioned below, but I do
> not
> consider default values very stable and want to make sure the settings we/I
> wish
> are really applied.
> 
> Since the item list in #11538 is quite mixed, I consider it a better idea to
> send
> in a patch for each one so we can argue about each patch separately and the
> whole
> thing does not break down because of one singe patch not being applied. :-)

That's *always* the way to go.

> 
> By the way: There were some commits (updated NRPE, ca-certificates) you merged
> the other day. Is there a reason why they are not showing up at Git? Sorry for
> being impatient here.
> 
> Best regards,
> Peter Müller
> 
> > 
> > On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
> > > Update some values in the OpenSSH server configuration at
> > > /etc/ssh/sshd_config to secure values. Changes are also applied
> > > on existing installations via update.sh script.
> > > 
> > > This partly solves #11538 and performs these changes:
> > > - never accept empty passwords for authentication
> > 
> > That was default. No change needed really.
> > 
> > > - make sure OpenSSH always logs properly
> > 
> > What went wrong before?
> > 
> > > - make sure permissions of .ssh/authorized_keys are checked (StrictModes)
> > 
> > ACK.
> 
> OK.
> > 
> > > - limit maximum concurring sessions to 5
> > 
> > ???
> > 
> > > - make sure custom rhosts files are always ignored
> > 
> > That was default as well
> > 
> > > - limit maximum authentication tries to 3
> > 
> > This is also default.
> > 
> > > The logging options were not applied during build correctly,
> > > which is fixed now. Changes are not expected to break existing
> > > systems.
> > 
> > Expected?
> > 
> > There is no need to stop the ssh daemon when running the update. That will
> > cause
> > that users who are running the update via SSH are losing their connection.
> 
> Thanks. Will include that in a second version of this patch.
> > 
> > A restart at the very end is sufficient.
> > 
> > -Michael
> > 
> > > 
> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > ---
> > >  config/rootfiles/core/121/update.sh | 12 ++++++++++++
> > >  lfs/openssh                         |  9 +++++++--
> > >  2 files changed, 19 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/config/rootfiles/core/121/update.sh
> > > b/config/rootfiles/core/121/update.sh
> > > index 87d5f6ebd..d3ceb84aa 100644
> > > --- a/config/rootfiles/core/121/update.sh
> > > +++ b/config/rootfiles/core/121/update.sh
> > > @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
> > >  done
> > >  
> > >  # Stop services
> > > +/etc/init.d/sshd stop
> > >  
> > >  # Extract files
> > >  extract_files
> > > @@ -56,8 +57,19 @@ rm -rvf \
> > >  	/usr/share/nagios/ \
> > >  	/var/nagios/
> > >  
> > > +# Update SSH configuration
> > > +sed -i /etc/ssh/sshd_config \
> > > +	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> > > +	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> > > +	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
> > > +	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
> > > +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> > > +	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
> > > +	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
> > > +
> > >  # Start services
> > >  /etc/init.d/apache restart
> > > +/etc/init.d/sshd start
> > >  
> > >  # This update needs a reboot...
> > >  touch /var/run/need_reboot
> > > diff --git a/lfs/openssh b/lfs/openssh
> > > index 203446370..90279ac98 100644
> > > --- a/lfs/openssh
> > > +++ b/lfs/openssh
> > > @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts
> > > yes/' \
> > >  		-e 's/^#\?UsePAM .*$$//' \
> > >  		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
> > > -		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/'
> > > \
> > > -		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
> > > +		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> > > +		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> > >  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/'
> > > \
> > >  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
> > > +		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords
> > > no/' \
> > > +		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
> > > +		-e 's/^#StrictModes .*$/StrictModes yes/' \
> > > +		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
> > > +		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
> > >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
> > >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
> > >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsOikkACgkQgHnw/2+Q
CQec6w//QQlUJE+AHWTc4o4VHqcVExOkvfwAQ9YEM21TO3tttV5WE2GA8xAY6RLA
ynLe0vusqTYoaOL0iXTUKSW/FSSmk0KYba+r4jG8+qhCFz26bR6ERUcs29Ix+G2A
OYpf3fUakaB6paqLVmoRXaEV6FraTDipzVwuzhiViErqmrKjcXDo4C0H0xFgaSXg
Oxr2EPR03zZ1TUkqAKuvYfXbDjB1f3+ZyE6cRKTCAhl/uf71A/JiSwcptaIps5/6
SxpMK5opx5tfm3OOjTMp1SW2DdEunmoLGa7y2TlnHiRHWnTYpFl+aMOPNCblexLD
5UZqEn6OsYBdTZR2mgb8eeanwC7D2HZAx0/kC7z+non3ZYS043annTQygeBMVdeg
/AzkWKJ+TYBSt8ntgm+G6jILt5iWy9LsNmvgEkccV5xc/GCxn3cfU/c7mA5pjSXF
sr15LrBnET0DDotkOhXOUTm52RIN0dqlsQD+hX4uAoUtW2hTe48rYxprpTVnwJxn
4aafnwXTmJQvNssKvYIzgU9zfX1bbUxL+18o0mTCmy06CFOxbwpVoQXvGlhaRqcZ
WiTlYy7zWU+RIXtLGHNdPngYUUA6JQ3/4bZ28pqqlOBUHiMTGi8ruzBBlEFiGZBw
zEFvhyJYxoVcKidoXwo29atpJ/1fZDVb0xMNCoqJ3HHOByvraJI=
=6d5H
-----END PGP SIGNATURE-----
  

Patch

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 87d5f6ebd..d3ceb84aa 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -32,6 +32,7 @@  for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+/etc/init.d/sshd stop
 
 # Extract files
 extract_files
@@ -56,8 +57,19 @@  rm -rvf \
 	/usr/share/nagios/ \
 	/var/nagios/
 
+# Update SSH configuration
+sed -i /etc/ssh/sshd_config \
+	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
+	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
+	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
+	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
+	-e 's/^#StrictModes .*$/StrictModes yes/' \
+	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
+	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
+
 # Start services
 /etc/init.d/apache restart
+/etc/init.d/sshd start
 
 # This update needs a reboot...
 touch /var/run/need_reboot
diff --git a/lfs/openssh b/lfs/openssh
index 203446370..90279ac98 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -91,10 +91,15 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \
 		-e 's/^#\?UsePAM .*$$//' \
 		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
-		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
-		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
+		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
+		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
+		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
+		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
+		-e 's/^#StrictModes .*$/StrictModes yes/' \
+		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
+		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \