Refactor harden server and client config patch for openssh package

Move ssh_config and sshd_config modification from openssh package to
openssh-config package.
Deployment test pass and configuration file check pass!

Story: 2004477
Task: 28185

Change-Id: I9976733bab102ee076d514333cd5a74af20794ec
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This commit is contained in:
zhipengl 2018-12-08 00:48:10 +08:00
parent 4f3e626029
commit 2730d2b38b
6 changed files with 233 additions and 150 deletions

View File

@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system %{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam %{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service %{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config
%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config
%post %post
%define _pamconfdir %{_sysconfdir}/pam.d %define _pamconfdir %{_sysconfdir}/pam.d
if [ $1 -eq 1 ] ; then if [ $1 -eq 1 ] ; then
# Initial installation # Initial installation
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config
cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
fi fi
%files %files
%{_datadir}/starlingx/sshd.pam %{_datadir}/starlingx/sshd.pam
%{_sysconfdir}/systemd/system/sshd.service %{_sysconfdir}/systemd/system/sshd.service
%{_datadir}/starlingx/ssh_config
%{_datadir}/starlingx/sshd_config

View File

@ -0,0 +1,71 @@
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
# Filtered key exchange algorithm list
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

View File

@ -0,0 +1,148 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
RekeyLimit default 1h
# Logging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#ShowPatchLevel no
# Make SSH connect faster on bootup
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# default banner path
Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
DenyUsers admin secadmin operator
# Filtered cipher, MAC and key exchange algorithm list, defaults can be
# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
# using "-" should be used for cipher, MAC and kex excluded suites.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

View File

@ -1 +1 @@
TIS_PATCH_VER=9 TIS_PATCH_VER=10

View File

@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch
Signed-off-by: zhipengl <zhipengs.liu@intel.com> Signed-off-by: zhipengl <zhipengs.liu@intel.com>
--- ---
SPECS/openssh.spec | 9 ++++----- SPECS/openssh.spec | 5 -----
1 file changed, 4 insertions(+), 5 deletions(-) 1 file changed, 5 deletions(-)
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 0a91b56..bbae9d7 100644 index 0a91b56..bbae9d7 100644
--- a/SPECS/openssh.spec --- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec +++ b/SPECS/openssh.spec
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
Patch959: openssh-7.4p1-authorized_keys_command.patch
# Fix for CVE-2017-15906 (#1517226)
Patch960: openssh-7.5p1-sftp-empty-files.patch
+# WRS: harden server and client config
+Patch1000: harden-server-and-client-config.patch
License: BSD
Group: Applications/Internet
@@ -510,6 +512,8 @@ popd
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
+# WRS
+%patch1000 -p1 -b .harden
%if 0
# Nothing here yet
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \ @@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
%preun server %preun server
%systemd_preun sshd.service sshd.socket %systemd_preun sshd.service sshd.socket
-%postun server -%postun server
-%systemd_postun_with_restart sshd.service -%systemd_postun_with_restart sshd.service
- -
@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \ @@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
-%files server-sysvinit -%files server-sysvinit
-%defattr(-,root,root) -%defattr(-,root,root)
%attr(0755,root,root) /etc/rc.d/init.d/sshd %attr(0755,root,root) /etc/rc.d/init.d/sshd
%endif %endif
-- --
1.8.3.1 1.8.3.1

View File

@ -1,124 +0,0 @@
From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Fri, 23 Mar 2018 14:46:06 -0400
Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
The patch hardened ssh server and client security, specifically
removed support of sha1 base kex algrorithms as found by Nessus
scan.
---
ssh_config | 3 +++
sshd_config | 45 +++++++++++++++++++++++++++------------------
2 files changed, 30 insertions(+), 18 deletions(-)
diff --git a/ssh_config b/ssh_config
index d1c83ea..3320eb0 100644
--- a/ssh_config
+++ b/ssh_config
@@ -66,3 +66,6 @@ Host *
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
+
+# Filtered key exchange algorithm list
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
diff --git a/sshd_config b/sshd_config
index 6bbb86b..7fb2ac7 100644
--- a/sshd_config
+++ b/sshd_config
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
-#RekeyLimit default none
+RekeyLimit default 1h
# Logging
#SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO
+#SyslogFacility AUTHPRIV
+LogLevel INFO
# Authentication:
-#LoginGraceTime 2m
-#PermitRootLogin yes
+LoginGraceTime 1m
+PermitRootLogin no
#StrictModes yes
-#MaxAuthTries 6
+MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
#KerberosUseKuserok yes
# GSSAPI options
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
# problems.
UsePAM yes
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
+AllowAgentForwarding no
+AllowTcpForwarding no
#GatewayPorts no
-X11Forwarding yes
+X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
@@ -106,21 +106,22 @@ X11Forwarding yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation sandbox
+UsePrivilegeSeparation yes
#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
#ShowPatchLevel no
-#UseDNS yes
+# Make SSH connect faster on bootup
+UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
-# no default banner path
-#Banner none
+# default banner path
+Banner /etc/issue.net
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+DenyUsers admin secadmin operator
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
+# using "-" should be used for cipher, MAC and kex excluded suites.
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--
1.8.3.1