[3/3] OpenSSH: use safer cryptography defaults

  By default, OpenSSH uses crypto algorithms such as SHA1, which are
considered insecure and should not be used anymore. This patch
updates the used ciphers, message-digest algorithms and key exchange
algorithms according https://stribika.github.io/2015/01/04/secure-secure-shell.html .

For the kex algo "diffie-hellman-group-exchange-sha256", an intact
SSH moduli file is required. To make sure we are not falling back
to insecure crypto here, its presence is checked at SSH startup.

On my machines, this file was already there, but it makes sense to
me to double-check this. This patch should not make problems except
for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.

This partially addresses #11538 and requires patch 2/3.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh |  6 +++++-
 lfs/openssh                         |  4 ++++
 src/initscripts/system/sshd         | 12 ++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
  

Hello *,

could somebody have a look at this sometimes?

If possible, I'd like to add this to the upcoming Core 121, too
- in case we are not becoming too big with the new kernel already.

Thanks, and best regards,
Peter Müller


> By default, OpenSSH uses crypto algorithms such as SHA1, which are
> considered insecure and should not be used anymore. This patch
> updates the used ciphers, message-digest algorithms and key exchange
> algorithms according https://stribika.github.io/2015/01/04/secure-secure-shell.html .
> 
> For the kex algo "diffie-hellman-group-exchange-sha256", an intact
> SSH moduli file is required. To make sure we are not falling back
> to insecure crypto here, its presence is checked at SSH startup.
> 
> On my machines, this file was already there, but it makes sense to
> me to double-check this. This patch should not make problems except
> for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.
> 
> This partially addresses #11538 and requires patch 2/3.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/rootfiles/core/121/update.sh |  6 +++++-
>  lfs/openssh                         |  4 ++++
>  src/initscripts/system/sshd         | 12 ++++++++++++
>  3 files changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
> index 3ec251292..99c174156 100644
> --- a/config/rootfiles/core/121/update.sh
> +++ b/config/rootfiles/core/121/update.sh
> @@ -60,7 +60,11 @@ rm -rvf \
>  sed -i /etc/ssh/sshd_config \
>  	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>  	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> -	-e 's/^#StrictModes .*$/StrictModes yes/'
> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> +	-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\
> +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\
> +			KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\
> +			#RekeyLimit default none/'
>  
>  # Start services
>  /etc/init.d/sshd restart
> diff --git a/lfs/openssh b/lfs/openssh
> index 7e8468ac9..3043501a2 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
>  		-e 's/^#StrictModes .*$/StrictModes yes/' \
> +		-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\
> +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\
> +			KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\
> +			#RekeyLimit default none/' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
> diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
> index 7b4092d38..d7958e800 100644
> --- a/src/initscripts/system/sshd
> +++ b/src/initscripts/system/sshd
> @@ -23,6 +23,18 @@ case "$1" in
>  		evaluate_retval
>  	done
>  
> +	# Make sure moduli file is properly present
> +	# (https://stribika.github.io/2015/01/04/secure-secure-shell.html)
> +	modulifile="/etc/ssh/moduli"
> +	if [ ! -e "${modulifile}" ]; then
> +		boot_mesg "Generating SSH moduli file (this may take a while)..."
> +
> +		ssh-keygen -G /etc/ssh/moduli.all -b 4096
> +		ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
> +		mv /etc/ssh/moduli.safe /etc/ssh/moduli
> +		rm -f /etc/ssh/moduli.all
> +	fi
> +
>          [ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not enabled
>          boot_mesg "Starting SSH Server..."
>          loadproc /usr/sbin/sshd 
>
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

you will need to break up patches into smaller chunks. This is a bit harder to
review than it should be.

On Tue, 2018-05-01 at 14:53 +0200, Peter Müller wrote:
> By default, OpenSSH uses crypto algorithms such as SHA1, which are
> considered insecure and should not be used anymore. This patch
> updates the used ciphers, message-digest algorithms and key exchange
> algorithms according https://stribika.github.io/2015/01/04/secure-secure-
> shell.html .

I can agree to that.

> For the kex algo "diffie-hellman-group-exchange-sha256", an intact
> SSH moduli file is required. To make sure we are not falling back
> to insecure crypto here, its presence is checked at SSH startup.

This could have been a separate patch.

> On my machines, this file was already there, but it makes sense to
> me to double-check this. This patch should not make problems except
> for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.
> 
> This partially addresses #11538 and requires patch 2/3.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/rootfiles/core/121/update.sh |  6 +++++-
>  lfs/openssh                         |  4 ++++
>  src/initscripts/system/sshd         | 12 ++++++++++++
>  3 files changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/config/rootfiles/core/121/update.sh
> b/config/rootfiles/core/121/update.sh
> index 3ec251292..99c174156 100644
> --- a/config/rootfiles/core/121/update.sh
> +++ b/config/rootfiles/core/121/update.sh
> @@ -60,7 +60,11 @@ rm -rvf \
>  sed -i /etc/ssh/sshd_config \
>  	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
>  	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> -	-e 's/^#StrictModes .*$/StrictModes yes/'
> +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> +	-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.co
> m,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-
> ctr\
> +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@
> openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@open
> ssh.com\
> +			KexAlgorithms curve25519-sha256@libssh.org,diffie-
> hellman-group-exchange-sha256\
> +			#RekeyLimit default none/'

The sed is ugly (more below), how can we know this will be properly applied to
all systems?

sed can add lines without looking for something else to replace something. You
can also match a string and append more after it and use & as a wildcard to re-
insert the matched content. 

>  # Start services
>  /etc/init.d/sshd restart
> diff --git a/lfs/openssh b/lfs/openssh
> index 7e8468ac9..3043501a2 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
>  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
>  		-e 's/^#StrictModes .*$/StrictModes yes/' \
> +		-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@op
> enssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-
> ctr,aes128-ctr\
> +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@
> openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@open
> ssh.com\
> +			KexAlgorithms curve25519-sha256@libssh.org,diffie-
> hellman-group-exchange-sha256\
> +			#RekeyLimit default none/' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
>  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \

I think we should urgently move away from changing the default configuration
like this. This is hard to read, might change lines in future versions that we
do not intend, etc. This is just not a good way to modify a file.

Would you please add a fresh file with only the directives that we want/need?

> diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
> index 7b4092d38..d7958e800 100644
> --- a/src/initscripts/system/sshd
> +++ b/src/initscripts/system/sshd
> @@ -23,6 +23,18 @@ case "$1" in
>  		evaluate_retval
>  	done
>  
> +	# Make sure moduli file is properly present
> +	# (https://stribika.github.io/2015/01/04/secure-secure-shell.html)
> +	modulifile="/etc/ssh/moduli"
> +	if [ ! -e "${modulifile}" ]; then
> +		boot_mesg "Generating SSH moduli file (this may take a
> while)..."
> +
> +		ssh-keygen -G /etc/ssh/moduli.all -b 4096
> +		ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
> +		mv /etc/ssh/moduli.safe /etc/ssh/moduli
> +		rm -f /etc/ssh/moduli.all
> +	fi
> +

How long will this take? We support systems with very slow processors. I have
been running this for the past 10 minutes on my desktop machine which has some
Intel i5 processor. This is already too long.

Are there any alternatives instead of creating this with 4096 bits of length on
the target machines?

>          [ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not enabled
>          boot_mesg "Starting SSH Server..."
>          loadproc /usr/sbin/sshd 

- -Michael
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlr+2IwACgkQgHnw/2+Q
CQduMA//YlCIN/3bmPSS11jurJQFCy6p3QdqbGuuR09tefEKNZ1w5KXxMili5Vsm
tW/is9VoLcB66jEVSn9osAKZ7yRkr99Z7eic+OJVdjodmkGz64KNSIbz0mYTqt+t
0sYADY+F9G+AYwR4WcJviRxOIzCKO7xvdc9ZNRTg1jGzutztJnhwAByO2JGn9HCE
9D1SM7PHNa55TB/7RcZuFn6Y9P1JUfSmwdA/bwyC4oS8znePu/+uRcK1+L+lnXQ8
tEJTs2Daq3icwAVdfUbdW6+zuCjsEvkkwjmQ4opI9twD9q33x7QZkd4/9+yW84pa
BBwTFaRUGmSSmca+7HH08KdHpvrXgnmE9X798JTRGJO8zMc0V6yO79Ta8TJG3H5k
nihprEhxFBTlQ+iWof9aNMH9zFFQKtLP0QzgB1jdgXMMtrx86pTOwIVlPx7loUo5
eTAgZaSE8Sjvo1iarKyfSfqjo8ZlcIpdGKeE1lsiCcIfA1jpe+uy0hHgiWiFHKwe
Rdzz7q4ZIo3s9Dyv0vECOvoPWxQUE9jQT5o05vY9m3uEZv4VrjC1rzCqY1iW8Rj5
E9hGt72MfpKNESXwcDhqTjYC9h0dm2ip7W7xFoJ6rwwvECjEA0n+B9STpVXi8NJh
hMbLkwZ1POTojtHFZwFo5AJ0cQuricWVLzn5oA7bOZkf8Pg82+I=
=u/E+
-----END PGP SIGNATURE-----
  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, 2018-05-16 at 17:39 +0200, Peter Müller wrote:
> Hello *,
> 
> could somebody have a look at this sometimes?
> 
> If possible, I'd like to add this to the upcoming Core 121, too
> - in case we are not becoming too big with the new kernel already.

I don't think that this will find space in C121.

> Thanks, and best regards,
> Peter Müller
> 
> 
> > By default, OpenSSH uses crypto algorithms such as SHA1, which are
> > considered insecure and should not be used anymore. This patch
> > updates the used ciphers, message-digest algorithms and key exchange
> > algorithms according https://stribika.github.io/2015/01/04/secure-secure-she
> > ll.html .
> > 
> > For the kex algo "diffie-hellman-group-exchange-sha256", an intact
> > SSH moduli file is required. To make sure we are not falling back
> > to insecure crypto here, its presence is checked at SSH startup.
> > 
> > On my machines, this file was already there, but it makes sense to
> > me to double-check this. This patch should not make problems except
> > for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.
> > 
> > This partially addresses #11538 and requires patch 2/3.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> >  config/rootfiles/core/121/update.sh |  6 +++++-
> >  lfs/openssh                         |  4 ++++
> >  src/initscripts/system/sshd         | 12 ++++++++++++
> >  3 files changed, 21 insertions(+), 1 deletion(-)
> > 
> > diff --git a/config/rootfiles/core/121/update.sh
> > b/config/rootfiles/core/121/update.sh
> > index 3ec251292..99c174156 100644
> > --- a/config/rootfiles/core/121/update.sh
> > +++ b/config/rootfiles/core/121/update.sh
> > @@ -60,7 +60,11 @@ rm -rvf \
> >  sed -i /etc/ssh/sshd_config \
> >  	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
> >  	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
> > -	-e 's/^#StrictModes .*$/StrictModes yes/'
> > +	-e 's/^#StrictModes .*$/StrictModes yes/' \
> > +	-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.
> > com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-
> > ctr,aes128-ctr\
> > +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-et
> > m@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@
> > openssh.com\
> > +			KexAlgorithms curve25519-sha256@libssh.org,diffie-
> > hellman-group-exchange-sha256\
> > +			#RekeyLimit default none/'
> >  
> >  # Start services
> >  /etc/init.d/sshd restart
> > diff --git a/lfs/openssh b/lfs/openssh
> > index 7e8468ac9..3043501a2 100644
> > --- a/lfs/openssh
> > +++ b/lfs/openssh
> > @@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> >  		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
> >  		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
> >  		-e 's/^#StrictModes .*$/StrictModes yes/' \
> > +		-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@
> > openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-
> > ctr,aes128-ctr\
> > +			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-et
> > m@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@
> > openssh.com\
> > +			KexAlgorithms curve25519-sha256@libssh.org,diffie-
> > hellman-group-exchange-sha256\
> > +			#RekeyLimit default none/' \
> >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
> >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
> >  		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
> > diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
> > index 7b4092d38..d7958e800 100644
> > --- a/src/initscripts/system/sshd
> > +++ b/src/initscripts/system/sshd
> > @@ -23,6 +23,18 @@ case "$1" in
> >  		evaluate_retval
> >  	done
> >  
> > +	# Make sure moduli file is properly present
> > +	# (https://stribika.github.io/2015/01/04/secure-secure-shell.html)
> > +	modulifile="/etc/ssh/moduli"
> > +	if [ ! -e "${modulifile}" ]; then
> > +		boot_mesg "Generating SSH moduli file (this may take a
> > while)..."
> > +
> > +		ssh-keygen -G /etc/ssh/moduli.all -b 4096
> > +		ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
> > +		mv /etc/ssh/moduli.safe /etc/ssh/moduli
> > +		rm -f /etc/ssh/moduli.all
> > +	fi
> > +
> >          [ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not
> > enabled
> >          boot_mesg "Starting SSH Server..."
> >          loadproc /usr/sbin/sshd 
> > 
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlr+2KMACgkQgHnw/2+Q
CQfQ/Q//VOr8BUcyXWMB8DWLvXwA3/gaGG8duGLdO8Mx2wi+/KsK8PY9Kpy3pDUs
2SGaBH0HSczVPfbp0i+vyEgB8MOodO8gA4hVMWLBY2p6cU31YrdZ7+P0JlGzjkd/
L6XgJuQjLgPhhPIBOX8GyBVWSwwri5E/thumGqmwT8o1HvW8PvmWp4RdWpeYqVVx
M3c2wzDinWhT7GGAsI3pAZzWpTUh6wdkRDPcEM0Ee/cdqvhELn+alnJjPx4OluXP
vA2WPximZ/BKHKYC6zjnm1+8o6j+kmkyQX1y/pB3rTSKRDxuEOyuivKpApzway32
pgrJB0TfDtKV84ryjBcFTHGXXgHkTD5LBB/en9CpYDsYwQ85lMtCf2Lau+F4B7fN
MZo4PlTzT+HwLuiDASsy2MVJ8Vgjdd8P1TB26xAyA0ug6NaYUFzIjjzGCbkPIm7a
ctZA0GmyJVarGZ0jHhwfahOB4EQohGn4zdFh5vyVGm75U1W5Lw7Kjfb4yC9u7Lag
R72892D3BKdsyeaclnCvdC/Pu4jOwQwBs6jfd7Vbo3gfQB2Qo0ZSpiXJ9W7TTxN7
dYn3L/ry3A+C0cVucdo1w+Kzk+dz/uOxiZSQgfZkdWro5M/7+WT9AUQMtZnWg3EF
sCViWxscRN2hHi+VgxnQGNz8oSwy/DHXrQCcl6x3bKWhD0+naBQ=
=WzL5
-----END PGP SIGNATURE-----