diff mbox series

[2/3] enable "StrictModes" for OpenSSH

Message ID	49166866-c3a2-06a4-dae9-21784c9c88ae@link38.eu
State	Superseded
Headers	To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Subject: [PATCH 2/3] enable "StrictModes" for OpenSSH Openpgp: preference=signencrypt Message-ID: <49166866-c3a2-06a4-dae9-21784c9c88ae@link38.eu> Date: Tue, 1 May 2018 14:43:52 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Ph2z06wy3xWD5tsiN0YTfLgvQTxyrcCOP" ipnet: 37.120.160.0/19(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/3] apply logging settings for OpenSSH correctly \| [1/3] apply logging settings for OpenSSH correctly [2/3] enable "StrictModes" for OpenSSH

Commit Message

Peter Müller May 1, 2018, 10:43 p.m. UTC

  Always make sure permissions of .ssh/authorized_keys
are checked. This prevents word-writeable keyfiles from
being processed, reducing attack surface after misconfiguration.

Partially addresses #11538 and depends on patch 1/3.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh | 3 ++-
 lfs/openssh                         | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

Comments

Michael Tremer May 30, 2018, 9:29 p.m. UTC | #1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Acked.

On Tue, 2018-05-01 at 14:43 +0200, Peter Müller wrote:
> Always make sure permissions of .ssh/authorized_keys
> are checked. This prevents word-writeable keyfiles from
> being processed, reducing attack surface after misconfiguration.
> 
> Partially addresses #11538 and depends on patch 1/3.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/rootfiles/core/121/update.sh | 3 ++-
>  lfs/openssh                         | 1 +
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/config/rootfiles/core/121/update.sh
> b/config/rootfiles/core/121/update.sh
> index 5b8f2c86e..3ec251292 100644
> --- a/config/rootfiles/core/121/update.sh
> +++ b/config/rootfiles/core/121/update.sh
> @@ -59,7 +59,8 @@ rm -rvf \
>  # Update SSH configuration
>  sed -i /etc/ssh/sshd_config \
>  	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> -	-e 's/^#LogLevel INFO$/LogLevel INFO/'
> +	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> +	-e 's/^#StrictModes .*$/StrictModes yes/'
>  
>  # Start services
>  /etc/init.d/sshd restart
> diff --git a/lfs/openssh b/lfs/openssh
> index 46561953d..7e8468ac9 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
> +		-e 's/^#StrictModes .*$/StrictModes yes/' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlsOix8ACgkQgHnw/2+Q
CQeRCA/1Fig9mXCSrLVkHLRxFEV6h+HDAFDO+vWAZXc6w7HarRGVCcA2bd/tGcYq
/IGkEEAi8h3q3PBfML5c40QyV0Pjl7S1zWW4zElSM3RtRnUfvTNMMTL/UfqWGSgt
JF9aBCI/luaAyKtOYhBMzgRsvO6J5ZzJUJfXw9OSVXS7QHsGKdLdaHGRvmG7+LyO
qsRTWn84IOHVff013VSyw9hYtpO4ykJn0Z6FdLhql6DUgT8I2HaQW+Bosb1osqYJ
ZTCfSGzhARETjhg6JxALSritm+2sdJ1TKqLgvDO7MfHZSLT8MQoqur5ikbW5qAFk
xxgCIkTf+boATAl7j1igscyDghvwjl/fQtK7qJDqO5Y/vcotPeEW/LLXLd9UaXeY
9O4BQL1/xNniHvKDyGuCDYiW53VljMw4ilAP06RgAot40qp/vwupf44+GWcIcWit
j8SAADHAlNYEkANvuYSnLu8ywdnkGOf5sWtNJW/LCBbbFhZGruWJvf4KRai5BHF9
oiL2BEjtyMXQ7RFmItXBbJO64C8Qwh74VvPIZ7QFCdPUA2LaCEgc00tnUhQTABsj
lyVbvOL0HNPiKkXwzd9mBI0RdmQRYAJe7b8hzW3CA6r2WbbngARJY7OFia7n8NUA
QHH1bIgsgPbYjHeLhNEazxOABfc5zKlGRktIBy3lNZVSbdrkAg==
=ILbC
-----END PGP SIGNATURE-----

diff mbox series

Patch

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 5b8f2c86e..3ec251292 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -59,7 +59,8 @@  rm -rvf \
 # Update SSH configuration
 sed -i /etc/ssh/sshd_config \
 	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
-	-e 's/^#LogLevel INFO$/LogLevel INFO/'
+	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
+	-e 's/^#StrictModes .*$/StrictModes yes/'
 
 # Start services
 /etc/init.d/sshd restart
diff --git a/lfs/openssh b/lfs/openssh
index 46561953d..7e8468ac9 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -95,6 +95,7 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
+		-e 's/^#StrictModes .*$/StrictModes yes/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \