From patchwork Sun Apr 29 19:16:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1733 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 4BFAE60726 for ; Sun, 29 Apr 2018 11:16:49 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 4DC0C1109356; Sun, 29 Apr 2018 10:16:48 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id D9ADE108B886 for ; Sun, 29 Apr 2018 10:16:45 +0100 (BST) ARC-Authentication-Results: i=1; mx-nbg.link38.eu DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524993403; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=efDRrZ19f69csjg+Uy6AfvT+iRiKAhCEhBo6ok/9JZs=; b=onBDv9qA3wpxOtAFJ6SgBLftTlo5n4N/0fZc/E5MydkRSapcnN6uSqAcI5WsmhwCNok0Wn 1zzEneCgPs85lGsd1EGbPxKiZPqzndRXTXF6Z2r+Lz1dU8RCq1cmAF20WiCXJSpZsGJQ3W NwZeyi9Lxm4nwONllF3sZ0X9XLiakgbil6iiFYFbopuN7Xsno5h6ZN5s8eGGUose2u4Feq YKYw6hBPGWMUqqkJzkDnQ1lj0bR8/6tUkb2mudK/pg7l7DK7JkFy3EEbPoZZ7USMpxZ0sm 26Xq9Ea2PrIg2DNyT/ExpPRMosngPVC4MP0YOx1xUbJhq0w4Yipxf8hpP+Gm/w== ARC-Seal: i=1; s=201803; d=link38.eu; t=1524993403; a=rsa-sha256; cv=none; b=NT91fB8RRBcpCOY77Bl95oIrdT4Jb1rBuhOqZkeuZ6KeVlZPiMywiQddMHuJDmkghz2Yy7yxlpLojFu16hwubQjfx5kCdfi3Enhjoiqh9DQpudfXMV35zCLYcESMjGsTp5uw9wQ7PBGvpdBC6oBYjEc1gOklWVNfhiMqDn+NcYiu04Meo9sedvgxaCp4MDbKinLVWD1aLo3sdMuiFXipVL50BUjcKG8Rs4COVyytYY2sRW7ZIpJwn5Gzohh9+NN/OZJWq0ZI5Pu9+N/6u3sDKwr2Unaj1AzXAZyh0oI1EZy+jxaCY0V/gAEeUGUW5YTApTTaY34oFo9rAWHCV1aQlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1524993403; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=efDRrZ19f69csjg+Uy6AfvT+iRiKAhCEhBo6ok/9JZs=; b=ne3oIb32k5bgvPokU1jjx3WpiLLF1RKm7u4cTuGu2Vrm6ypfbaxWvxtUcqfaZC2voszF7m U0tqBIUQhwnR9pneaIsQ42hvfPlXnE9Qxp+8PAR+jfTSwWciP4En03cLiGvQFl+x7VlRFR QTy5r5G3LteuaOGAlKYt4rxZCIN2fvSeOQDVMp6wlpHuan23AKuQu2BhJsbXLt9j3dMAN+ ujx3cLnhdOMX+ddJYgU8f3QVQHu0HTretux2zVNKxW0+pc9lViYnPlEvsU8szxm3Cvxgw4 dbA+gs/T+APH9avkEGgRxnVoxbkjGzKtwzx7pn4C5Eq3ayqIA0L/pF1pRYXqbA== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] harden authentication and logging in OpenSSH server configuration Openpgp: preference=signencrypt Message-ID: <45328527-782f-5737-5207-ca6936b5ece7@link38.eu> Date: Sun, 29 Apr 2018 11:16:42 +0200 MIME-Version: 1.0 Content-Language: en-US X-Spamd-Result: default: False [-10.53 / 11.00]; IP_SCORE(-3.77)[ip: (-9.86), ipnet: 2a03:4000::/32(-4.93), asn: 197540(-3.95), country: DE(-0.09)]; ARC_ALLOW(-1.00)[i=1]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-10.53 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script. This partly solves #11538 and performs these changes: - never accept empty passwords for authentication - make sure OpenSSH always logs properly - make sure permissions of .ssh/authorized_keys are checked (StrictModes) - limit maximum concurring sessions to 5 - make sure custom rhosts files are always ignored - limit maximum authentication tries to 3 The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems. Signed-off-by: Peter Müller --- config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done # Stop services +/etc/init.d/sshd stop # Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/ +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' + # Start services /etc/init.d/apache restart +/etc/init.d/sshd start # This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#\?UsePAM .*$$//' \ -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \ + -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ + -e 's/^#MaxSessions .*$/MaxSessions 5/' \ + -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \