From patchwork Mon Aug 20 04:41:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1895
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.ipfire.org
 [IPv6:2001:470:7183:25::1])
	by web02.i.ipfire.org (Postfix) with ESMTP id 791E360726
	for <patchwork@web02.i.ipfire.org>; Sun, 19 Aug 2018 20:41:52 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 0195F112692A;
	Sun, 19 Aug 2018 19:41:51 +0100 (BST)
Received: from mx-nbg.link38.eu (mx-nbg.link38.eu
 [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx-nbg.link38.eu",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail01.ipfire.org (Postfix) with ESMTPS id EEB9D10F83E0
 for <development@lists.ipfire.org>; Sun, 19 Aug 2018 19:41:47 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803;
 t=1534704110; h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:mime-version:mime-version:
 content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:in-reply-to:
 references; bh=AZsDmlcRerkEZv6mNJw07YpITigvPRzCur5qXFusmHs=;
 b=EU7MOtPJOHWcEZ/0FNZaKR3twXuqpkfcRtJEiuMLR6/Mmkqkg3o0Gb1Z1Zc/jSyZpJSmMg
 0c+5g5WlGofdNbWZCPyd/Mcw9qzySs51OodA4D6rKQOLcMX1Z+7zq2V+rj6S2L3vi+0Gko
 muvBB18h2o7PPpkb4nYz84BpMjk+5IIF7lBcN6/AjJSWA+fbw6c+D18TqVCGyu0e6lRBCf
 b+C4DgSxxz5eFkKMDUZErIo/h6C12F+2ajfBL7PI0b3wtOjyCUui6UTOz5aYYHrbpjYyU2
 K0Q8K+fZq8X5SbJh3aBQr4jDA+EO5GcQ2+KaH0WmOrR0dW9D4s5vV1WdIrwBcg==
To: "ipfire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
Openpgp: preference=signencrypt
Autocrypt: addr=peter.mueller@link38.eu; prefer-encrypt=mutual; keydata=
 xsFNBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz
 qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw
 jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ
 W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ
 o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS
 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM
 ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W
 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF
 PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq
 kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABzSdQZXRlciBNw7xs
 bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT7CwX8EEwECACkFAlrlh/UCGyMFCQlmAYAH
 CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt
 hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V
 B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE
 W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg
 ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW
 Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1
 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx
 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE
 Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8
 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn
 xLcWumkZ12YKmtixuM7BTQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT
 TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT
 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y
 SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL
 GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X
 Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY
 aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL
 pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y
 kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg
 Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA
 AcLBZQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD
 uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ
 oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd
 EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR
 AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8
 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA
 hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4
 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo
 ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE
 zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m
 eNtEia+FigGVqn+PSQ==
Subject: [PATCH 1/2] add hardened SSH server configuration
Message-ID: <042ecb9c-4183-5ea5-ee26-56ed9bcc7a61@link38.eu>
Date: Sun, 19 Aug 2018 20:41:45 +0200
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu;
 dmarc=pass (policy=none) header.from=link38.eu;
 spf=pass smtp.mailfrom=peter.mueller@link38.eu
X-Spamd-Result: default: False [-9.54 / 11.00]; ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[link38.eu]; BAYES_HAM(-3.00)[100.00%];
 FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[link38.eu:+];
 RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org
 : 127.0.6.2]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none];
 MX_GOOD(-0.01)[cached: mx-nbg.link38.eu];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 IP_SCORE(-3.78)[ip: (-9.90), ipnet: 2a03:4000::/32(-4.95),
 asn: 197540(-3.96),
 country: DE(-0.09)];
 ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-9.54
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

In order to harden OpenSSH server in IPFire, using the upstream default configuration
and edit it via sed commands in LFS file is error-prone and does not scale.

Thereof we ship a custom and more secure OpenSSH server configuration which
is copied into the image during build time.

Fixes #11750
Fixes #11751
Partially fixes #11538

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/ssh/sshd_config | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 config/ssh/sshd_config

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
new file mode 100644
index 000000000..7acf48109
--- /dev/null
+++ b/config/ssh/sshd_config
@@ -0,0 +1,68 @@
+# ultra-secure OpenSSH server configuration
+
+# only allow version 2 of SSH protocol
+Protocol 2
+
+# listen on these interfaces and protocols
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+# limit authentication thresholds
+LoginGraceTime 20s
+MaxAuthTries 3
+MaxSessions 5
+
+# limit maximum instanctes
+MaxStartups 5
+
+# ensure proper logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# always turn on strict mode
+StrictModes yes
+
+# only allow safe crypto algorithms (may break some _very_ outdated clients)
+# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# enable data compression after successful login
+Compression yes
+
+# only allow cryptographically safe SSH host keys (adjust paths if needed)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# only allow login via public key
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+AuthenticationMethods publickey
+
+# ignore user ~/.rhost* files
+IgnoreRhosts yes
+
+# ignore user known hosts file
+IgnoreUserKnownHosts yes
+
+# ignore user environments
+PermitUserEnvironment no
+
+# do not allow any kind of forwarding (provides only low security)
+# some of them might need to be re-enabled if SSH server is a jump platform
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+GatewayPorts no
+PermitOpen none
+
+# close broken session (clients went offline, ...) automagically
+TCPKeepAlive yes
+
+# EOF