From patchwork Tue May  1 22:53:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1740
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 6126960366
	for <patchwork@web02.i.ipfire.org>;
	Tue,  1 May 2018 14:55:39 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 057E110E4421;
	Tue,  1 May 2018 13:55:39 +0100 (BST)
Authentication-Results: dkim=pass header.d=link38.eu;
	dmarc=pass (policy=none) header.from=link38.eu;
	spf=pass smtp.mailfrom=peter.mueller@link38.eu
Received: from mx-nbg.link38.eu (mx-nbg.link38.eu
	[IPv6:2a03:4000:6:432c:1f9e:48:ac3:199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx-nbg.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4FD88108B8B7
	for <development@lists.ipfire.org>;
	Tue,  1 May 2018 13:53:41 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803;
	t=1525179215;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:content-transfer-encoding:in-reply-to:
	references; bh=xLr72ebHmTb8GVt0FgmT5AFqtkXnw3rTULbuuPzT0hs=;
	b=fo2vw10hZLxs4URo49x7SZSEaJOSH8uuridtOF5QgXbvehvD8owUjih0HZM1qXGgK8AQn3
	TrKyqjdob3dMI0UYXgVgW9IhtsvHhWNJ8W85s/ANF9uCdBoMxvMqZTM4i80hRjjZCBpmh8
	fk9snwMhGtmaAI0dA/4vOkM3sdc0Kq9PIdpJIF7U66EHy/tiUOtTzfRzEnE8Aefdfp9Qwf
	Utp0xLMlb9pixkbTV0brIqxgBWbtt44dz7+HK4vW3Z4loeO64oNWbu81ON8F5mOJAGA7MH
	M2FKy9Yj3FhwAkbLBC3Hkn9t/5GRGoP1lLZso8qtL5DcqhtpU+Eb3G/LFn5Olg==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
Subject: [PATCH 3/3] OpenSSH: use safer cryptography defaults
Openpgp: preference=signencrypt
Message-ID: <60141712-0583-e014-ad5d-d423587566a3@link38.eu>
Date: Tue, 1 May 2018 14:53:35 +0200
MIME-Version: 1.0
X-Spamd-Result: default: False [-9.63 / 11.00];
	URIBL_BLOCKED(0.00)[stribika.github.io.multi.uribl.com];
	RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org
	: 127.0.6.2]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	MX_GOOD(-0.01)[cached: mx-nbg.link38.eu];
	HAS_ATTACHMENT(0.00)[];
	IP_SCORE(-3.77)[ip: (-9.88), ipnet: 2a03:4000::/32(-4.94),
	asn: 197540(-3.96),
	country: DE(-0.09)]; BAYES_HAM(-3.00)[100.00%];
	DKIM_TRACE(0.00)[link38.eu:+]; TO_DN_ALL(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199];
	RCPT_COUNT_ONE(0.00)[1];
	DMARC_POLICY_ALLOW(-0.25)[link38.eu,none];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
	ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu];
	ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-9.63
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

By default, OpenSSH uses crypto algorithms such as SHA1, which are
considered insecure and should not be used anymore. This patch
updates the used ciphers, message-digest algorithms and key exchange
algorithms according https://stribika.github.io/2015/01/04/secure-secure-shell.html .

For the kex algo "diffie-hellman-group-exchange-sha256", an intact
SSH moduli file is required. To make sure we are not falling back
to insecure crypto here, its presence is checked at SSH startup.

On my machines, this file was already there, but it makes sense to
me to double-check this. This patch should not make problems except
for very outdated OpenSSH clients (older than 6.x) or PuTTY versions.

This partially addresses #11538 and requires patch 2/3.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/rootfiles/core/121/update.sh |  6 +++++-
 lfs/openssh                         |  4 ++++
 src/initscripts/system/sshd         | 12 ++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 3ec251292..99c174156 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -60,7 +60,11 @@ rm -rvf \
 sed -i /etc/ssh/sshd_config \
 	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
 	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
-	-e 's/^#StrictModes .*$/StrictModes yes/'
+	-e 's/^#StrictModes .*$/StrictModes yes/' \
+	-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\
+			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\
+			KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\
+			#RekeyLimit default none/'
 
 # Start services
 /etc/init.d/sshd restart
diff --git a/lfs/openssh b/lfs/openssh
index 7e8468ac9..3043501a2 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -96,6 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
 		-e 's/^#StrictModes .*$/StrictModes yes/' \
+		-e 's/^#RekeyLimit default none$/Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\
+			MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\
+			KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\
+			#RekeyLimit default none/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
diff --git a/src/initscripts/system/sshd b/src/initscripts/system/sshd
index 7b4092d38..d7958e800 100644
--- a/src/initscripts/system/sshd
+++ b/src/initscripts/system/sshd
@@ -23,6 +23,18 @@ case "$1" in
 		evaluate_retval
 	done
 
+	# Make sure moduli file is properly present
+	# (https://stribika.github.io/2015/01/04/secure-secure-shell.html)
+	modulifile="/etc/ssh/moduli"
+	if [ ! -e "${modulifile}" ]; then
+		boot_mesg "Generating SSH moduli file (this may take a while)..."
+
+		ssh-keygen -G /etc/ssh/moduli.all -b 4096
+		ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
+		mv /etc/ssh/moduli.safe /etc/ssh/moduli
+		rm -f /etc/ssh/moduli.all
+	fi
+
         [ -e "/var/ipfire/remote/enablessh" ] || exit 0 # SSH is not enabled
         boot_mesg "Starting SSH Server..."
         loadproc /usr/sbin/sshd