From patchwork Tue May  1 22:43:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1739
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.ipfire.org
	[IPv6:2001:470:7183:25::1])
	by web02.i.ipfire.org (Postfix) with ESMTP id B0F3F60366
	for <patchwork@web02.i.ipfire.org>;
	Tue,  1 May 2018 14:55:37 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 00CBA10E440E;
	Tue,  1 May 2018 13:55:36 +0100 (BST)
Authentication-Results: dkim=pass header.d=link38.eu;
	dmarc=pass (policy=none) header.from=link38.eu;
	spf=pass smtp.mailfrom=peter.mueller@link38.eu
Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx-nbg.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id A7C1A110933F
	for <development@lists.ipfire.org>;
	Tue,  1 May 2018 13:43:53 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803;
	t=1525178633;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:content-transfer-encoding:in-reply-to:
	references; bh=DhxoQr0PCulNi7fIIQnz4XUABiSYpdU4LbzWc/u8tBw=;
	b=NZ0OOiEXhlL4jUXgLqsaxaNa+keeq6d/8NB+IsMIBBS2R9O6ZYR/ORo9TwT0glg8A4hbjK
	X0Ruws1LRiOhSKH78DT5E8ew1buCyyHnX4NC1gpuZpzkdviMvabb4DZbbGBqeXaD5e9gk/
	HF5LGA9R3TyVRA1gwCsFR/+5vQxAPIhV2A0gPcKUnd3Um9uZhM0DjGQzDgDDqTllDYPJX5
	Xufx0euAlGxcXc+RMUxUfW9HTpo+0aWP+Gf0Psgqv5emGbaKDOZbvd92MhPiki99D12uIR
	imAB1V92On5ZFGgD+kS7MCO56Oga/ZkH12J+Yzn9Nih5tb5hcxhz1xKsAJd1vA==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
Subject: [PATCH 2/3] enable "StrictModes" for OpenSSH
Openpgp: preference=signencrypt
Message-ID: <49166866-c3a2-06a4-dae9-21784c9c88ae@link38.eu>
Date: Tue, 1 May 2018 14:43:52 +0200
MIME-Version: 1.0
X-Spamd-Result: default: False [-9.64 / 11.00];
	IP_SCORE(-3.78)[ip: (-9.90), ipnet: 37.120.160.0/19(-4.95), asn:
	197540(-3.96), country: DE(-0.09)];
	RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	MX_GOOD(-0.01)[cached: mx-nbg.link38.eu];
	HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%];
	DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53];
	RCPT_COUNT_ONE(0.00)[1];
	DMARC_POLICY_ALLOW(-0.25)[link38.eu,none];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
	ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu];
	ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-9.64
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Always make sure permissions of .ssh/authorized_keys
are checked. This prevents word-writeable keyfiles from
being processed, reducing attack surface after misconfiguration.

Partially addresses #11538 and depends on patch 1/3.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh | 3 ++-
 lfs/openssh                         | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 5b8f2c86e..3ec251292 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -59,7 +59,8 @@ rm -rvf \
 # Update SSH configuration
 sed -i /etc/ssh/sshd_config \
 	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
-	-e 's/^#LogLevel INFO$/LogLevel INFO/'
+	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
+	-e 's/^#StrictModes .*$/StrictModes yes/'
 
 # Start services
 /etc/init.d/sshd restart
diff --git a/lfs/openssh b/lfs/openssh
index 46561953d..7e8468ac9 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
+		-e 's/^#StrictModes .*$/StrictModes yes/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \