From patchwork Tue May 1 22:40:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1738 Return-Path: Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 4042160366 for ; Tue, 1 May 2018 14:55:35 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 73150110933F; Tue, 1 May 2018 13:55:34 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 3DA6C110933F for ; Tue, 1 May 2018 13:40:13 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1525178412; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=InTyX8je+5P4liwBHiDPijUtTL+naY5FonOJDFUSJG4=; b=+JddozpHVc63Bx8VMQSHZ/CN/X2kLc0XlwXLhIF987CrJwp5PiEOVI7YhUc02C3cnDiZY5 hsolGXIma+oR+x6INm0MonvpCZo1Jsbc8vv7oX36wxojJB1p42AyxlzxVirD75Sg5gI01v ssZ+9N1wPeJ582tXpE0kESZMpqipv2TplhsyrO9KswlwWAh9MsDAqJLP8ENz9QHmk5h2v/ x1QntKC1O/lM2byT+MbqoDlYTPfwZxvQalOIMRyF4pXU4l1bUx2JEZ4oFR+Y9V4W/FR1+M 1igHn2wLxu6AzshlyJ8J4Y8UjFhLi92RZ7X0QSqAMTwYduLBjHcF5Jzm0ZD2ZQ== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 1/3] apply logging settings for OpenSSH correctly Openpgp: preference=signencrypt Message-ID: <6d69e16d-e93b-6c91-a7c1-7731f821e537@link38.eu> Date: Tue, 1 May 2018 14:40:11 +0200 MIME-Version: 1.0 X-Spamd-Result: default: False [-9.64 / 11.00]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 37.120.160.0/19(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.64 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The logging settings for OpenSSH (log to syslog with "AUTH" facility at "INFO" level) were not applied correctly. This patch fixes that for both installed systems and the LFS file. Partially addresses #11538. Signed-off-by: Peter Müller --- config/rootfiles/core/121/update.sh | 6 ++++++ lfs/openssh | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..5b8f2c86e 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -56,7 +56,13 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/ +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' + # Start services +/etc/init.d/sshd restart /etc/init.d/apache restart # This update needs a reboot... diff --git a/lfs/openssh b/lfs/openssh index 203446370..46561953d 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,8 +91,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#\?UsePAM .*$$//' \ -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \ - -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \ - -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \ + -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ From patchwork Tue May 1 22:43:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1739 Return-Path: Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id B0F3F60366 for ; Tue, 1 May 2018 14:55:37 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 00CBA10E440E; Tue, 1 May 2018 13:55:36 +0100 (BST) Authentication-Results: dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id A7C1A110933F for ; Tue, 1 May 2018 13:43:53 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1525178633; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=DhxoQr0PCulNi7fIIQnz4XUABiSYpdU4LbzWc/u8tBw=; b=NZ0OOiEXhlL4jUXgLqsaxaNa+keeq6d/8NB+IsMIBBS2R9O6ZYR/ORo9TwT0glg8A4hbjK X0Ruws1LRiOhSKH78DT5E8ew1buCyyHnX4NC1gpuZpzkdviMvabb4DZbbGBqeXaD5e9gk/ HF5LGA9R3TyVRA1gwCsFR/+5vQxAPIhV2A0gPcKUnd3Um9uZhM0DjGQzDgDDqTllDYPJX5 Xufx0euAlGxcXc+RMUxUfW9HTpo+0aWP+Gf0Psgqv5emGbaKDOZbvd92MhPiki99D12uIR imAB1V92On5ZFGgD+kS7MCO56Oga/ZkH12J+Yzn9Nih5tb5hcxhz1xKsAJd1vA== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 2/3] enable "StrictModes" for OpenSSH Openpgp: preference=signencrypt Message-ID: <49166866-c3a2-06a4-dae9-21784c9c88ae@link38.eu> Date: Tue, 1 May 2018 14:43:52 +0200 MIME-Version: 1.0 X-Spamd-Result: default: False [-9.64 / 11.00]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 37.120.160.0/19(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; RCVD_IN_DNSWL_MED(-2.00)[53.167.120.37.list.dnswl.org : 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; HAS_ATTACHMENT(0.00)[]; BAYES_HAM(-3.00)[100.00%]; DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; RCPT_COUNT_ONE(0.00)[1]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.64 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Always make sure permissions of .ssh/authorized_keys are checked. This prevents word-writeable keyfiles from being processed, reducing attack surface after misconfiguration. Partially addresses #11538 and depends on patch 1/3. Signed-off-by: Peter Müller --- config/rootfiles/core/121/update.sh | 3 ++- lfs/openssh | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 5b8f2c86e..3ec251292 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -59,7 +59,8 @@ rm -rvf \ # Update SSH configuration sed -i /etc/ssh/sshd_config \ -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \ - -e 's/^#LogLevel INFO$/LogLevel INFO/' + -e 's/^#LogLevel INFO$/LogLevel INFO/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' # Start services /etc/init.d/sshd restart diff --git a/lfs/openssh b/lfs/openssh index 46561953d..7e8468ac9 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#LogLevel INFO$/LogLevel INFO/' \ -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \ -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \ + -e 's/^#StrictModes .*$/StrictModes yes/' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \ -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \