From 2730d2b38b6a8122397445b9dc647e73f0bbbb57 Mon Sep 17 00:00:00 2001 From: zhipengl Date: Sat, 8 Dec 2018 00:48:10 +0800 Subject: [PATCH] Refactor harden server and client config patch for openssh package Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl --- .../openssh-config/centos/openssh-config.spec | 8 +- base/openssh-config/files/ssh_config | 71 +++++++++ base/openssh-config/files/sshd_config | 148 ++++++++++++++++++ base/openssh/centos/build_srpm.data | 2 +- .../spec-include-TiS-changes.patch | 30 +--- .../harden-server-and-client-config.patch | 124 --------------- 6 files changed, 233 insertions(+), 150 deletions(-) create mode 100644 base/openssh-config/files/ssh_config create mode 100644 base/openssh-config/files/sshd_config delete mode 100644 base/openssh/centos/patches/harden-server-and-client-config.patch diff --git a/base/openssh-config/centos/openssh-config.spec b/base/openssh-config/centos/openssh-config.spec index 2bc503641..b8ecab924 100644 --- a/base/openssh-config/centos/openssh-config.spec +++ b/base/openssh-config/centos/openssh-config.spec @@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder. %{__install} -d %{buildroot}%{_sysconfdir}/systemd/system %{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam %{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service +%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config +%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config %post %define _pamconfdir %{_sysconfdir}/pam.d if [ $1 -eq 1 ] ; then # Initial installation - cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd + cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd + cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config + cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config fi %files %{_datadir}/starlingx/sshd.pam %{_sysconfdir}/systemd/system/sshd.service +%{_datadir}/starlingx/ssh_config +%{_datadir}/starlingx/sshd_config diff --git a/base/openssh-config/files/ssh_config b/base/openssh-config/files/ssh_config new file mode 100644 index 000000000..c970defeb --- /dev/null +++ b/base/openssh-config/files/ssh_config @@ -0,0 +1,71 @@ +# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# +# Uncomment this if you want to use .local domain +# Host *.local +# CheckHostIP no + +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access +# to the original X11 display. As virtually no X11 client supports the untrusted +# mode correctly we set this to yes. + ForwardX11Trusted yes +# Send locale-related environment variables + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS + +# Filtered key exchange algorithm list +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/base/openssh-config/files/sshd_config b/base/openssh-config/files/sshd_config new file mode 100644 index 000000000..7091b6868 --- /dev/null +++ b/base/openssh-config/files/sshd_config @@ -0,0 +1,148 @@ +# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +RekeyLimit default 1h + +# Logging +#SyslogFacility AUTH +#SyslogFacility AUTHPRIV +LogLevel INFO + +# Authentication: + +LoginGraceTime 1m +PermitRootLogin no +#StrictModes yes +MaxAuthTries 4 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication yes + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +GSSAPIAuthentication no +GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no +#GSSAPIEnablek5users no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several +# problems. +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation yes +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#ShowPatchLevel no +# Make SSH connect faster on bootup +UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# default banner path +Banner /etc/issue.net + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +DenyUsers admin secadmin operator +# Filtered cipher, MAC and key exchange algorithm list, defaults can be +# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex +# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list +# using "-" should be used for cipher, MAC and kex excluded suites. +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/base/openssh/centos/build_srpm.data b/base/openssh/centos/build_srpm.data index c428b1f1d..ed8de7493 100644 --- a/base/openssh/centos/build_srpm.data +++ b/base/openssh/centos/build_srpm.data @@ -1 +1 @@ -TIS_PATCH_VER=9 +TIS_PATCH_VER=10 diff --git a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch index 0a361ef97..6b328db57 100644 --- a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch +++ b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch @@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch Signed-off-by: zhipengl --- - SPECS/openssh.spec | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) + SPECS/openssh.spec | 5 ----- + 1 file changed, 5 deletions(-) diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 0a91b56..bbae9d7 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec -@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch - Patch959: openssh-7.4p1-authorized_keys_command.patch - # Fix for CVE-2017-15906 (#1517226) - Patch960: openssh-7.5p1-sftp-empty-files.patch -+# WRS: harden server and client config -+Patch1000: harden-server-and-client-config.patch - - License: BSD - Group: Applications/Internet -@@ -510,6 +512,8 @@ popd - %patch700 -p1 -b .fips - - %patch100 -p1 -b .coverity -+# WRS -+%patch1000 -p1 -b .harden - - %if 0 - # Nothing here yet @@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \ %preun server %systemd_preun sshd.service sshd.socket - + -%postun server -%systemd_postun_with_restart sshd.service - @@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644 @@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen.service - + -%files server-sysvinit -%defattr(-,root,root) %attr(0755,root,root) /etc/rc.d/init.d/sshd %endif - --- + +-- 1.8.3.1 diff --git a/base/openssh/centos/patches/harden-server-and-client-config.patch b/base/openssh/centos/patches/harden-server-and-client-config.patch deleted file mode 100644 index ea474cffc..000000000 --- a/base/openssh/centos/patches/harden-server-and-client-config.patch +++ /dev/null @@ -1,124 +0,0 @@ -From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001 -From: Andy Ning -Date: Fri, 23 Mar 2018 14:46:06 -0400 -Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms - -The patch hardened ssh server and client security, specifically -removed support of sha1 base kex algrorithms as found by Nessus -scan. ---- - ssh_config | 3 +++ - sshd_config | 45 +++++++++++++++++++++++++++------------------ - 2 files changed, 30 insertions(+), 18 deletions(-) - -diff --git a/ssh_config b/ssh_config -index d1c83ea..3320eb0 100644 ---- a/ssh_config -+++ b/ssh_config -@@ -66,3 +66,6 @@ Host * - SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE - SendEnv XMODIFIERS -+ -+# Filtered key exchange algorithm list -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 -diff --git a/sshd_config b/sshd_config -index 6bbb86b..7fb2ac7 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key - HostKey /etc/ssh/ssh_host_ed25519_key - - # Ciphers and keying --#RekeyLimit default none -+RekeyLimit default 1h - - # Logging - #SyslogFacility AUTH --SyslogFacility AUTHPRIV --#LogLevel INFO -+#SyslogFacility AUTHPRIV -+LogLevel INFO - - # Authentication: - --#LoginGraceTime 2m --#PermitRootLogin yes -+LoginGraceTime 1m -+PermitRootLogin no - #StrictModes yes --#MaxAuthTries 6 -+MaxAuthTries 4 - #MaxSessions 10 - - #PubkeyAuthentication yes -@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no - #KerberosUseKuserok yes - - # GSSAPI options --GSSAPIAuthentication yes --GSSAPICleanupCredentials no -+GSSAPIAuthentication no -+GSSAPICleanupCredentials yes - #GSSAPIStrictAcceptorCheck yes - #GSSAPIKeyExchange no - #GSSAPIEnablek5users no -@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no - # problems. - UsePAM yes - --#AllowAgentForwarding yes --#AllowTcpForwarding yes -+AllowAgentForwarding no -+AllowTcpForwarding no - #GatewayPorts no --X11Forwarding yes -+X11Forwarding no - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes -@@ -106,21 +106,22 @@ X11Forwarding yes - #PrintLastLog yes - #TCPKeepAlive yes - #UseLogin no --#UsePrivilegeSeparation sandbox -+UsePrivilegeSeparation yes - #PermitUserEnvironment no --#Compression delayed --#ClientAliveInterval 0 --#ClientAliveCountMax 3 -+Compression no -+ClientAliveInterval 15 -+ClientAliveCountMax 4 - #ShowPatchLevel no --#UseDNS yes -+# Make SSH connect faster on bootup -+UseDNS no - #PidFile /var/run/sshd.pid - #MaxStartups 10:30:100 - #PermitTunnel no - #ChrootDirectory none - #VersionAddendum none - --# no default banner path --#Banner none -+# default banner path -+Banner /etc/issue.net - - # Accept locale-related environment variables - AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server - # AllowTcpForwarding no - # PermitTTY no - # ForceCommand cvs server -+DenyUsers admin secadmin operator -+# Filtered cipher, MAC and key exchange algorithm list, defaults can be -+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex -+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list -+# using "-" should be used for cipher, MAC and kex excluded suites. -+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com -+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com -+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 --- -1.8.3.1 -