Refactor harden server and client config patch for openssh package
Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This commit is contained in:
parent
4f3e626029
commit
2730d2b38b
@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
|
||||
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
|
||||
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
|
||||
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
|
||||
%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config
|
||||
%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config
|
||||
|
||||
%post
|
||||
%define _pamconfdir %{_sysconfdir}/pam.d
|
||||
if [ $1 -eq 1 ] ; then
|
||||
# Initial installation
|
||||
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
|
||||
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
|
||||
cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config
|
||||
cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
|
||||
fi
|
||||
|
||||
%files
|
||||
%{_datadir}/starlingx/sshd.pam
|
||||
%{_sysconfdir}/systemd/system/sshd.service
|
||||
%{_datadir}/starlingx/ssh_config
|
||||
%{_datadir}/starlingx/sshd_config
|
||||
|
71
base/openssh-config/files/ssh_config
Normal file
71
base/openssh-config/files/ssh_config
Normal file
@ -0,0 +1,71 @@
|
||||
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
|
||||
|
||||
# This is the ssh client system-wide configuration file. See
|
||||
# ssh_config(5) for more information. This file provides defaults for
|
||||
# users, and the values can be changed in per-user configuration files
|
||||
# or on the command line.
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
# 1. command line options
|
||||
# 2. user-specific file
|
||||
# 3. system-wide file
|
||||
# Any configuration value is only changed the first time it is set.
|
||||
# Thus, host-specific definitions should be at the beginning of the
|
||||
# configuration file, and defaults at the end.
|
||||
|
||||
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
# Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
# RhostsRSAAuthentication no
|
||||
# RSAAuthentication yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
# GSSAPIKeyExchange no
|
||||
# GSSAPITrustDNS no
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
# ConnectTimeout 0
|
||||
# StrictHostKeyChecking ask
|
||||
# IdentityFile ~/.ssh/identity
|
||||
# IdentityFile ~/.ssh/id_rsa
|
||||
# IdentityFile ~/.ssh/id_dsa
|
||||
# IdentityFile ~/.ssh/id_ecdsa
|
||||
# IdentityFile ~/.ssh/id_ed25519
|
||||
# Port 22
|
||||
# Protocol 2
|
||||
# Cipher 3des
|
||||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||
# EscapeChar ~
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
#
|
||||
# Uncomment this if you want to use .local domain
|
||||
# Host *.local
|
||||
# CheckHostIP no
|
||||
|
||||
Host *
|
||||
GSSAPIAuthentication yes
|
||||
# If this option is set to yes then remote X11 clients will have full access
|
||||
# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||
# mode correctly we set this to yes.
|
||||
ForwardX11Trusted yes
|
||||
# Send locale-related environment variables
|
||||
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
SendEnv XMODIFIERS
|
||||
|
||||
# Filtered key exchange algorithm list
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
148
base/openssh-config/files/sshd_config
Normal file
148
base/openssh-config/files/sshd_config
Normal file
@ -0,0 +1,148 @@
|
||||
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
# If you want to change the port on a SELinux system, you have to tell
|
||||
# SELinux about this change.
|
||||
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||
#
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
RekeyLimit default 1h
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#SyslogFacility AUTHPRIV
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
LoginGraceTime 1m
|
||||
PermitRootLogin no
|
||||
#StrictModes yes
|
||||
MaxAuthTries 4
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
PasswordAuthentication yes
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication no
|
||||
GSSAPICleanupCredentials yes
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
#GSSAPIEnablek5users no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
||||
# problems.
|
||||
UsePAM yes
|
||||
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
#GatewayPorts no
|
||||
X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
Compression no
|
||||
ClientAliveInterval 15
|
||||
ClientAliveCountMax 4
|
||||
#ShowPatchLevel no
|
||||
# Make SSH connect faster on bootup
|
||||
UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# default banner path
|
||||
Banner /etc/issue.net
|
||||
|
||||
# Accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
AcceptEnv XMODIFIERS
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
DenyUsers admin secadmin operator
|
||||
# Filtered cipher, MAC and key exchange algorithm list, defaults can be
|
||||
# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
|
||||
# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
|
||||
# using "-" should be used for cipher, MAC and kex excluded suites.
|
||||
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
||||
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
@ -1 +1 @@
|
||||
TIS_PATCH_VER=9
|
||||
TIS_PATCH_VER=10
|
||||
|
@ -5,31 +5,13 @@ Subject: spec-include-TiS-changes.patch
|
||||
|
||||
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
||||
---
|
||||
SPECS/openssh.spec | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
SPECS/openssh.spec | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
||||
index 0a91b56..bbae9d7 100644
|
||||
--- a/SPECS/openssh.spec
|
||||
+++ b/SPECS/openssh.spec
|
||||
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
|
||||
Patch959: openssh-7.4p1-authorized_keys_command.patch
|
||||
# Fix for CVE-2017-15906 (#1517226)
|
||||
Patch960: openssh-7.5p1-sftp-empty-files.patch
|
||||
+# WRS: harden server and client config
|
||||
+Patch1000: harden-server-and-client-config.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@@ -510,6 +512,8 @@ popd
|
||||
%patch700 -p1 -b .fips
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
+# WRS
|
||||
+%patch1000 -p1 -b .harden
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
|
||||
%preun server
|
||||
%systemd_preun sshd.service sshd.socket
|
||||
|
@ -1,124 +0,0 @@
|
||||
From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
|
||||
From: Andy Ning <andy.ning@windriver.com>
|
||||
Date: Fri, 23 Mar 2018 14:46:06 -0400
|
||||
Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
|
||||
|
||||
The patch hardened ssh server and client security, specifically
|
||||
removed support of sha1 base kex algrorithms as found by Nessus
|
||||
scan.
|
||||
---
|
||||
ssh_config | 3 +++
|
||||
sshd_config | 45 +++++++++++++++++++++++++++------------------
|
||||
2 files changed, 30 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index d1c83ea..3320eb0 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -66,3 +66,6 @@ Host *
|
||||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
SendEnv XMODIFIERS
|
||||
+
|
||||
+# Filtered key exchange algorithm list
|
||||
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 6bbb86b..7fb2ac7 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
-#RekeyLimit default none
|
||||
+RekeyLimit default 1h
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
-SyslogFacility AUTHPRIV
|
||||
-#LogLevel INFO
|
||||
+#SyslogFacility AUTHPRIV
|
||||
+LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
-#LoginGraceTime 2m
|
||||
-#PermitRootLogin yes
|
||||
+LoginGraceTime 1m
|
||||
+PermitRootLogin no
|
||||
#StrictModes yes
|
||||
-#MaxAuthTries 6
|
||||
+MaxAuthTries 4
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
|
||||
#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
-GSSAPIAuthentication yes
|
||||
-GSSAPICleanupCredentials no
|
||||
+GSSAPIAuthentication no
|
||||
+GSSAPICleanupCredentials yes
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
#GSSAPIEnablek5users no
|
||||
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
|
||||
# problems.
|
||||
UsePAM yes
|
||||
|
||||
-#AllowAgentForwarding yes
|
||||
-#AllowTcpForwarding yes
|
||||
+AllowAgentForwarding no
|
||||
+AllowTcpForwarding no
|
||||
#GatewayPorts no
|
||||
-X11Forwarding yes
|
||||
+X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
@@ -106,21 +106,22 @@ X11Forwarding yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
-#UsePrivilegeSeparation sandbox
|
||||
+UsePrivilegeSeparation yes
|
||||
#PermitUserEnvironment no
|
||||
-#Compression delayed
|
||||
-#ClientAliveInterval 0
|
||||
-#ClientAliveCountMax 3
|
||||
+Compression no
|
||||
+ClientAliveInterval 15
|
||||
+ClientAliveCountMax 4
|
||||
#ShowPatchLevel no
|
||||
-#UseDNS yes
|
||||
+# Make SSH connect faster on bootup
|
||||
+UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
-# no default banner path
|
||||
-#Banner none
|
||||
+# default banner path
|
||||
+Banner /etc/issue.net
|
||||
|
||||
# Accept locale-related environment variables
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
+DenyUsers admin secadmin operator
|
||||
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
|
||||
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
|
||||
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
|
||||
+# using "-" should be used for cipher, MAC and kex excluded suites.
|
||||
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
||||
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
||||
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
||||
--
|
||||
1.8.3.1
|
||||
|
Loading…
Reference in New Issue
Block a user