From patchwork Sun Apr 29 19:16:42 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1733
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 4BFAE60726
	for <patchwork@web02.i.ipfire.org>;
	Sun, 29 Apr 2018 11:16:49 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 4DC0C1109356;
	Sun, 29 Apr 2018 10:16:48 +0100 (BST)
Authentication-Results: dkim=pass header.d=link38.eu;
	dmarc=pass (policy=none) header.from=link38.eu;
	spf=pass smtp.mailfrom=peter.mueller@link38.eu
Received: from mx-nbg.link38.eu (mx-nbg.link38.eu
	[IPv6:2a03:4000:6:432c:1f9e:48:ac3:199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx-nbg.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id D9ADE108B886
	for <development@lists.ipfire.org>;
	Sun, 29 Apr 2018 10:16:45 +0100 (BST)
ARC-Authentication-Results: i=1; mx-nbg.link38.eu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803;
	t=1524993403;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references; bh=efDRrZ19f69csjg+Uy6AfvT+iRiKAhCEhBo6ok/9JZs=;
	b=onBDv9qA3wpxOtAFJ6SgBLftTlo5n4N/0fZc/E5MydkRSapcnN6uSqAcI5WsmhwCNok0Wn
	1zzEneCgPs85lGsd1EGbPxKiZPqzndRXTXF6Z2r+Lz1dU8RCq1cmAF20WiCXJSpZsGJQ3W
	NwZeyi9Lxm4nwONllF3sZ0X9XLiakgbil6iiFYFbopuN7Xsno5h6ZN5s8eGGUose2u4Feq
	YKYw6hBPGWMUqqkJzkDnQ1lj0bR8/6tUkb2mudK/pg7l7DK7JkFy3EEbPoZZ7USMpxZ0sm
	26Xq9Ea2PrIg2DNyT/ExpPRMosngPVC4MP0YOx1xUbJhq0w4Yipxf8hpP+Gm/w==
ARC-Seal: i=1; s=201803; d=link38.eu; t=1524993403; a=rsa-sha256; cv=none;
	b=NT91fB8RRBcpCOY77Bl95oIrdT4Jb1rBuhOqZkeuZ6KeVlZPiMywiQddMHuJDmkghz2Yy7yxlpLojFu16hwubQjfx5kCdfi3Enhjoiqh9DQpudfXMV35zCLYcESMjGsTp5uw9wQ7PBGvpdBC6oBYjEc1gOklWVNfhiMqDn+NcYiu04Meo9sedvgxaCp4MDbKinLVWD1aLo3sdMuiFXipVL50BUjcKG8Rs4COVyytYY2sRW7ZIpJwn5Gzohh9+NN/OZJWq0ZI5Pu9+N/6u3sDKwr2Unaj1AzXAZyh0oI1EZy+jxaCY0V/gAEeUGUW5YTApTTaY34oFo9rAWHCV1aQlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu;
	s=201803; t=1524993403;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references; bh=efDRrZ19f69csjg+Uy6AfvT+iRiKAhCEhBo6ok/9JZs=;
	b=ne3oIb32k5bgvPokU1jjx3WpiLLF1RKm7u4cTuGu2Vrm6ypfbaxWvxtUcqfaZC2voszF7m
	U0tqBIUQhwnR9pneaIsQ42hvfPlXnE9Qxp+8PAR+jfTSwWciP4En03cLiGvQFl+x7VlRFR
	QTy5r5G3LteuaOGAlKYt4rxZCIN2fvSeOQDVMp6wlpHuan23AKuQu2BhJsbXLt9j3dMAN+
	ujx3cLnhdOMX+ddJYgU8f3QVQHu0HTretux2zVNKxW0+pc9lViYnPlEvsU8szxm3Cvxgw4
	dbA+gs/T+APH9avkEGgRxnVoxbkjGzKtwzx7pn4C5Eq3ayqIA0L/pF1pRYXqbA==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
Subject: [PATCH] harden authentication and logging in OpenSSH server
	configuration
Openpgp: preference=signencrypt
Message-ID: <45328527-782f-5737-5207-ca6936b5ece7@link38.eu>
Date: Sun, 29 Apr 2018 11:16:42 +0200
MIME-Version: 1.0
Content-Language: en-US
X-Spamd-Result: default: False [-10.53 / 11.00];
	IP_SCORE(-3.77)[ip: (-9.86), ipnet: 2a03:4000::/32(-4.93),
	asn: 197540(-3.95),
	country: DE(-0.09)]; ARC_ALLOW(-1.00)[i=1];
	RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org
	: 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	MX_GOOD(-0.01)[cached: mx-nbg.link38.eu];
	BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+];
	TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
	R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199];
	RCPT_COUNT_ONE(0.00)[1];
	DMARC_POLICY_ALLOW(-0.25)[link38.eu,none];
	FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	R_DKIM_ALLOW(-0.20)[link38.eu];
	ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-10.53
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Update some values in the OpenSSH server configuration at
/etc/ssh/sshd_config to secure values. Changes are also applied
on existing installations via update.sh script.

This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
- make sure OpenSSH always logs properly
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
- limit maximum concurring sessions to 5
- make sure custom rhosts files are always ignored
- limit maximum authentication tries to 3

The logging options were not applied during build correctly,
which is fixed now. Changes are not expected to break existing
systems.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh | 12 ++++++++++++
 lfs/openssh                         |  9 +++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 87d5f6ebd..d3ceb84aa 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
+/etc/init.d/sshd stop
 
 # Extract files
 extract_files
@@ -56,8 +57,19 @@ rm -rvf \
 	/usr/share/nagios/ \
 	/var/nagios/
 
+# Update SSH configuration
+sed -i /etc/ssh/sshd_config \
+	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
+	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
+	-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
+	-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
+	-e 's/^#StrictModes .*$/StrictModes yes/' \
+	-e 's/^#MaxSessions .*$/MaxSessions 5/' \
+	-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
+
 # Start services
 /etc/init.d/apache restart
+/etc/init.d/sshd start
 
 # This update needs a reboot...
 touch /var/run/need_reboot
diff --git a/lfs/openssh b/lfs/openssh
index 203446370..90279ac98 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \
 		-e 's/^#\?UsePAM .*$$//' \
 		-e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
-		-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
-		-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
+		-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
+		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
+		-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
+		-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
+		-e 's/^#StrictModes .*$/StrictModes yes/' \
+		-e 's/^#MaxSessions .*$/MaxSessions 5/' \
+		-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \