diff options
| author | Clemens Gruber <clemens.gruber@pqgruber.com> | 2015-11-02 21:15:35 +0100 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2015-11-07 09:44:20 +0100 |
| commit | 9d42457cc3948989185995f6671058fe960d0d94 (patch) | |
| tree | c1ded760ede1ff743b22866c8bc41cf7c56d3723 | |
| parent | 5dbc3705ab7b3af760e4c26c56febab476865729 (diff) | |
| download | ptxdist-9d42457cc3948989185995f6671058fe960d0d94.tar.gz ptxdist-9d42457cc3948989185995f6671058fe960d0d94.tar.xz | |
openssh: harden security options and host keys
The rc.once.d script generates the host keys which are enabled in
the ssd_config file.
Ed25519 and RSA are the default host key signature algorithms as
both do not solely rely upon good entropy sources.
DSA and ECDSA are not recommended on embedded systems.
The SSH configuration is hardened: Enabled sandboxing, reduced
login grace time, strict mode, etc.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
[mol: use 4096 bits for RSA keys, base config on upstream example]
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
| -rw-r--r-- | projectroot/etc/rc.once.d/openssh | 68 | ||||
| -rw-r--r-- | projectroot/etc/ssh/sshd_config | 66 |
2 files changed, 91 insertions, 43 deletions
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh index 83e6e37de..a49ddee0a 100644 --- a/projectroot/etc/rc.once.d/openssh +++ b/projectroot/etc/rc.once.d/openssh @@ -1,33 +1,53 @@ #!/bin/sh -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +PATH=/sbin:/bin:/usr/sbin:/usr/bin -OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key" -OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key" - -test -n "$OPENSSH_RSAKEY" || \ - OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT -test -n "$OPENSSH_DSAKEY" || \ - OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT - -gen_key() { - - key_type=$1 - key_file=$2 - - rm -f $key_file > /dev/null 2>&1 - - echo -n "generating $key_type key..." - ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1 +get_hostkeys() { + [ -f /etc/ssh/sshd_config ] || return + sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config +} - if [ "$?" = "0" ]; then - echo "done" +host_keys_required() { + hostkeys="$(get_hostkeys)" + if [ "$hostkeys" ]; then + echo "$hostkeys" else - echo "failed" - exit 1 + # No HostKey directives found, so we pick secure defaults + echo /etc/ssh/ssh_host_ed25519_key + echo /etc/ssh/ssh_host_rsa_key fi } -gen_key rsa "$OPENSSH_RSAKEY" -gen_key dsa "$OPENSSH_DSAKEY" +create_key() { + msg="$1" + shift + hostkeys="$1" + shift + file="$1" + shift + + if echo "$hostkeys" | grep -x "$file" >/dev/null; then + echo "$msg; this may take some time ..." + rm -f $file && + ssh-keygen -q -f "$file" -N '' "$@" || return + echo "$msg; done." + fi +} + +create_keys() { + hostkeys="$(host_keys_required)" + + create_key "Creating DSA key" \ + "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa && + create_key "Creating ECDSA key" \ + "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa && + create_key "Creating ED25519 key" \ + "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 && + create_key "Creating RSA key" \ + "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 +} +if ! create_keys; then + echo "Generating SSH keys failed!" + exit 1 +fi diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config index 7cd7897b3..f53cb3d8f 100644 --- a/projectroot/etc/ssh/sshd_config +++ b/projectroot/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,24 +7,31 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. -Port 22 -Protocol 2 +#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: +# The default requires explicit activation of protocol 1 +#Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 768 +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging @@ -37,10 +44,19 @@ HostKey /etc/ssh/ssh_host_dsa_key PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 +#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no @@ -69,37 +85,49 @@ PermitRootLogin yes #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. #UsePAM no +#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no +#ChrootDirectory none +#VersionAddendum none # no default banner path -#Banner /some/path +#Banner none # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server |