Refactor harden server and client config patch for openssh package

Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-12-08 00:48:10 +08:00 · 2018-12-08 00:48:10 +08:00 · 2730d2b38b
commit 2730d2b38b
parent 4f3e626029
6 changed files with 233 additions and 150 deletions
--- a/base/openssh-config/centos/openssh-config.spec
+++ b/base/openssh-config/centos/openssh-config.spec
@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
 %{__install} -d  %{buildroot}%{_sysconfdir}/systemd/system
 %{__install} -m 644 sshd.pam      %{buildroot}%{_datadir}/starlingx/sshd.pam
 %{__install} -m 644 sshd.service  %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
 %{__install} -m 644 ssh_config    %{buildroot}%{_datadir}/starlingx/ssh_config
 %{__install} -m 600 sshd_config   %{buildroot}%{_datadir}/starlingx/sshd_config
 %post
 %define _pamconfdir %{_sysconfdir}/pam.d
 if [ $1 -eq 1 ] ; then
        # Initial installation
        cp -f %{_datadir}/starlingx/sshd.pam    %{_pamconfdir}/sshd
        cp -f %{_datadir}/starlingx/ssh_config  %{_sysconfdir}/ssh/ssh_config
        cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
 fi
 %files
 %{_datadir}/starlingx/sshd.pam
 %{_sysconfdir}/systemd/system/sshd.service
 %{_datadir}/starlingx/ssh_config
 %{_datadir}/starlingx/sshd_config
--- a/base/openssh-config/files/ssh_config
+++ b/base/openssh-config/files/ssh_config
@ -0,0 +1,71 @@
 #       $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
 # users, and the values can be changed in per-user configuration files
 # or on the command line.
 # Configuration data is parsed as follows:
 #  1. command line options
 #  2. user-specific file
 #  3. system-wide file
 # Any configuration value is only changed the first time it is set.
 # Thus, host-specific definitions should be at the beginning of the
 # configuration file, and defaults at the end.
 # Site-wide defaults for some commonly used options.  For a comprehensive
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 #   GSSAPIKeyExchange no
 #   GSSAPITrustDNS no
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
 #   IdentityFile ~/.ssh/id_ecdsa
 #   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
 #   Protocol 2
 #   Cipher 3des
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
 #   EscapeChar ~
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #
 # Uncomment this if you want to use .local domain
 # Host *.local
 #   CheckHostIP no
 Host *
        GSSAPIAuthentication yes
 # If this option is set to yes then remote X11 clients will have full access
 # to the original X11 display. As virtually no X11 client supports the untrusted
 # mode correctly we set this to yes.
        ForwardX11Trusted yes
 # Send locale-related environment variables
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS
 # Filtered key exchange algorithm list
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--- a/base/openssh-config/files/sshd_config
+++ b/base/openssh-config/files/sshd_config
@ -0,0 +1,148 @@
 #       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 # If you want to change the port on a SELinux system, you have to tell
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 #
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 RekeyLimit default 1h
 # Logging
 #SyslogFacility AUTH
 #SyslogFacility AUTHPRIV
 LogLevel INFO
 # Authentication:
 LoginGraceTime 1m
 PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 4
 #MaxSessions 10
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile     .ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 PasswordAuthentication yes
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 #KerberosUseKuserok yes
 # GSSAPI options
 GSSAPIAuthentication no
 GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 #GSSAPIEnablek5users no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
 # problems.
 UsePAM yes
 AllowAgentForwarding no
 AllowTcpForwarding no
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 UsePrivilegeSeparation yes
 #PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
 ClientAliveCountMax 4
 #ShowPatchLevel no
 # Make SSH connect faster on bootup
 UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # default banner path
 Banner /etc/issue.net
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
 # override default of no subsystems
 Subsystem       sftp    /usr/libexec/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       PermitTTY no
 #       ForceCommand cvs server
 DenyUsers admin secadmin operator
 # Filtered cipher, MAC and key exchange algorithm list, defaults can be
 # obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
 # TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
 # using "-" should be used for cipher, MAC and kex excluded suites.
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
 MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--- a/base/openssh/centos/build_srpm.data
+++ b/base/openssh/centos/build_srpm.data
@ -1 +1 @@
-TIS_PATCH_VER=9
+TIS_PATCH_VER=10
--- a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch
+++ b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch
@ -5,31 +5,13 @@ Subject: spec-include-TiS-changes.patch
 Signed-off-by: zhipengl <zhipengs.liu@intel.com>
 ---
- SPECS/openssh.spec | 9 ++++-----
+ SPECS/openssh.spec | 5 -----
- 1 file changed, 4 insertions(+), 5 deletions(-)
+ 1 file changed, 5 deletions(-)
 diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
 index 0a91b56..bbae9d7 100644
 --- a/SPECS/openssh.spec
 +++ b/SPECS/openssh.spec
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
 Patch959: openssh-7.4p1-authorized_keys_command.patch
 # Fix for CVE-2017-15906 (#1517226)
 Patch960: openssh-7.5p1-sftp-empty-files.patch
 +# WRS: harden server and client config
 +Patch1000: harden-server-and-client-config.patch
 License: BSD
 Group: Applications/Internet
@@ -510,6 +512,8 @@ popd
 %patch700 -p1 -b .fips
 %patch100 -p1 -b .coverity
 +# WRS
 +%patch1000 -p1 -b .harden
 %if 0
 # Nothing here yet
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
 %preun server
 %systemd_preun sshd.service sshd.socket
--- a/base/openssh/centos/patches/harden-server-and-client-config.patch
+++ b/base/openssh/centos/patches/harden-server-and-client-config.patch
@ -1,124 +0,0 @@
 From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
 From: Andy Ning <andy.ning@windriver.com>
 Date: Fri, 23 Mar 2018 14:46:06 -0400
 Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
 The patch hardened ssh server and client security, specifically
 removed support of sha1 base kex algrorithms as found by Nessus
 scan.
 ---
 ssh_config  |  3 +++
 sshd_config | 45 +++++++++++++++++++++++++++------------------
 2 files changed, 30 insertions(+), 18 deletions(-)
 diff --git a/ssh_config b/ssh_config
 index d1c83ea..3320eb0 100644
 --- a/ssh_config
 +++ b/ssh_config
@@ -66,3 +66,6 @@ Host *
 	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 	SendEnv XMODIFIERS
 +
 +# Filtered key exchange algorithm list
 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 diff --git a/sshd_config b/sshd_config
 index 6bbb86b..7fb2ac7 100644
 --- a/sshd_config
 +++ b/sshd_config
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 -#RekeyLimit default none
 +RekeyLimit default 1h
 # Logging
 #SyslogFacility AUTH
 -SyslogFacility AUTHPRIV
 -#LogLevel INFO
 +#SyslogFacility AUTHPRIV
 +LogLevel INFO
 # Authentication:
 -#LoginGraceTime 2m
 -#PermitRootLogin yes
 +LoginGraceTime 1m
 +PermitRootLogin no
 #StrictModes yes
 -#MaxAuthTries 6
 +MaxAuthTries 4
 #MaxSessions 10
 #PubkeyAuthentication yes
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
 #KerberosUseKuserok yes
 # GSSAPI options
 -GSSAPIAuthentication yes
 -GSSAPICleanupCredentials no
 +GSSAPIAuthentication no
 +GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 #GSSAPIEnablek5users no
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
 # problems.
 UsePAM yes
 -#AllowAgentForwarding yes
 -#AllowTcpForwarding yes
 +AllowAgentForwarding no
 +AllowTcpForwarding no
 #GatewayPorts no
 -X11Forwarding yes
 +X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
@@ -106,21 +106,22 @@ X11Forwarding yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 -#UsePrivilegeSeparation sandbox
 +UsePrivilegeSeparation yes
 #PermitUserEnvironment no
 -#Compression delayed
 -#ClientAliveInterval 0
 -#ClientAliveCountMax 3
 +Compression no
 +ClientAliveInterval 15
 +ClientAliveCountMax 4
 #ShowPatchLevel no
 -#UseDNS yes
 +# Make SSH connect faster on bootup
 +UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 -# no default banner path
 -#Banner none
 +# default banner path
 +Banner /etc/issue.net
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -137,3 +138,11 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 +DenyUsers admin secadmin operator
 +# Filtered cipher, MAC and key exchange algorithm list, defaults can be
 +# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
 +# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
 +# using "-" should be used for cipher, MAC and kex excluded suites.
 +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
 +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 -- 
 1.8.3.1