SSH1 config options were removed and a variety of more secure defaults chosen, inspired by the Debian preinit script and their sshd_config. Users can now add other HostKeys to the sshd_config and the openssh rc.once.d script will automatically generate the necessary keys. I also added an option to show the randomart representation of the key to the user.
In the sshd_config, all SSH1 related settings were removed and some important options were explicitly enabled. TCPKeepAlive was disabled as it is easily spoofable and a better alternative does exist (ClientAliveInterval). The sandbox mechanism (using seccomp) is used, if available. Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- projectroot/etc/rc.once.d/openssh | 69 ++++++++++++++++++++++------------ projectroot/etc/ssh/sshd_config | 79 ++++++++++++++------------------------- 2 files changed, 74 insertions(+), 74 deletions(-) diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh index 83e6e37..df5f667 100644 --- a/projectroot/etc/rc.once.d/openssh +++ b/projectroot/etc/rc.once.d/openssh @@ -2,32 +2,55 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key" -OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key" - -test -n "$OPENSSH_RSAKEY" || \ - OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT -test -n "$OPENSSH_DSAKEY" || \ - OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT - -gen_key() { - - key_type=$1 - key_file=$2 - - rm -f $key_file > /dev/null 2>&1 - - echo -n "generating $key_type key..." - ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1 +get_hostkeys() { + [ -f /etc/ssh/sshd_config ] || return + grep "^HostKey" /etc/ssh/sshd_config | sed "s/^HostKey //g" +} - if [ "$?" = "0" ]; then - echo "done" +host_keys_required() { + hostkeys="$(get_hostkeys)" + if [ "$hostkeys" ]; then + echo "$hostkeys" else - echo "failed" - exit 1 + # No HostKey directives found, so we pick some defaults + echo /etc/ssh/ssh_host_ed25519_key + echo /etc/ssh/ssh_host_rsa_key fi } -gen_key rsa "$OPENSSH_RSAKEY" -gen_key dsa "$OPENSSH_DSAKEY" +create_key() { + msg="$1" + shift + hostkeys="$1" + shift + file="$1" + shift + + if echo "$hostkeys" | grep -x "$file" >/dev/null && \ + [ ! -f "$file" ] ; then + echo -n $msg + rm -f $file > /dev/null 2>&1 + ssh-keygen -q -f "$file" -N '' "$@" + echo + if which restorecon >/dev/null 2>&1; then + restorecon "$file" "$file.pub" + fi + ssh-keygen -lv -f "$file.pub" + fi +} + +create_keys() { + hostkeys="$(host_keys_required)" + + create_key "Creating DSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa + create_key "Creating ECDSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa + create_key "Creating ED25519 key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 + create_key "Creating RSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa +} + +create_keys diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config index 7cd7897..c637aa1 100644 --- a/projectroot/etc/ssh/sshd_config +++ b/projectroot/etc/ssh/sshd_config @@ -1,53 +1,30 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. +# OpenSSH server system-wide configuration +# See the sshd_config manpage for details Port 22 -Protocol 2 -#AddressFamily any -#ListenAddress 0.0.0.0 #ListenAddress :: +#ListenAddress 0.0.0.0 -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 +# HostKeys +HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO -# Authentication: - -#LoginGraceTime 2m +# Authentication +LoginGraceTime 1m PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 +StrictModes yes -#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -63,7 +40,6 @@ PermitRootLogin yes #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes -#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no @@ -79,27 +55,28 @@ PermitRootLogin yes # ChallengeResponseAuthentication=no #UsePAM no -#AllowTcpForwarding yes -#GatewayPorts no +# Privilege separation is turned on for increased security +UsePrivilegeSeparation sandbox + +# Compression is delayed until the user has authenticated +Compression delayed + +# TCPKeepAlive is spoofable, use ClientAliveInterval instead +TCPKeepAlive no +# Disconnect clients after not responding over the encrypted channel for 3 min. +ClientAliveInterval 60 +ClientAliveCountMax 3 + #X11Forwarding no #X11DisplayOffset 10 -#X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes -#TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no - -# no default banner path -#Banner /some/path - -# override default of no subsystems + +#MaxStartups 10:30:60 +#Banner /etc/issue + +# Allow clients to pass locale environment variables +#AcceptEnv LANG LC_* + Subsystem sftp /usr/sbin/sftp-server -- 2.4.6 -- ptxdist mailing list ptxdist@pengutronix.de