forcemerge 774793 774711
stop
Hi.
This is basically the same as #774711, therefore merging.
On Wed, 2015-01-07 at 18:29 +0100, comotion@krutt.org wrote:
> The attached patch updates openssh-server debian defaults through the
> postinst script according to bettercrypto.org[2], stribika[3] and my own
> work [4] by doing the following:
I don't think that doing this via the postinst scripts, or better said
via changing the default configs, is the right solution:
- it either requires that we generally rewrite people's configs as soon
as we think something should be changed for security reasons,...which is
a bad idea as we'd simply mess up with configs that people might have
chosen deliberately
- or that only fresh installations benefit from this.
Even worse would be, if Debian itself changes the hard coded defaults of
these options, as it unfortunately already does for several options.
The right approach is to put more pressure on upstream to remove unsafe
(or at least questionable) stuff from the defaults.
> - - only uses known secure Ciphers, KexAlgorithms and MACs
Not to forget HostKeyAlgorithms
> - - deletes moduli smaller than 2048-bits
I personally would doubt that this is enough (see e.g. ECRYPT II
recommendations).
And see my comments about the problems of the group size of DH methods
in SSH in #774711.
> - - disables known-insecure NIST ECDSA keys, Protocol 1 keys and 1024-bit
> DSA keys
I basically agree,... you'll see though that I have still enabled the
NIST curves in my algos below, even though I basically never use them.
Protocol 1 is disabled in Debian anyway.
> - - generates 4096-bit RSA host keys by default
> (instead of the upstream default 2048)
I'd basically agree as well... better safe than sorry.
But apart from these,... your choices below are not really perfect:
> +filter_keys() {
> + hostkeys="$(host_keys_required)"
> + protocol="$(get_config_option Protocol)"
> + if echo "$protocol" | grep 2 >/dev/null &&
> + echo "$hostkeys" | grep 'HostKey .*ssh_host_rsa_key' >/dev/null 2>&1 ||
> + echo "$hostkeys" | grep 'HostKey .*ssh_host_ed25519_key' >/dev/null 2>&1; then
> + # protocol 1 is known broken, DSA is only 1024bit large, and ECDSA uses the NIST curves,
> + # so remove all of them
> + grep -ev '^ *HostKey .*ssh_host_(ecdsa|dsa)_key.*|^ *HostKey .*ssh_host_key.*' /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
> +
> + chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
> + chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
> + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
> + else
> + echo "Warning, you do not have any secure keys enabled in your SSH config" >&2
> + fi
> +}
As I've said,... it's not our task to force a user to do safe things...
users might need to use these old algos, and they might do so e.g. in a
safe network where it's no big problem anyway.
> +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
DH-GEX in principle has several issues as well,.. as I've noted in
#774711,...
> +Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes128-ctr
Why do you not allow the much safer aes128-gcm@openssh.com,
aes256-gcm@openssh.com?
Why not aes192-ctr
> +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
It seems a bad idea to allow non-EtM modes, especially when you allow
CTR modes above.
Apart from that,... I'd avoid RIPEMD160.. it simply has reached it's
age,.. and it was never that well analyzed as other algos.
> + # upgrade kexalgorithm, ciphers and macs, but only when unset
+
> + # delete small moduli
Again,.. it's not ower right to mess around with possibly deliberately
choosen config.
I've attached now what has become my default config after considerable
"research" last November, and which I consider to be secure as possible
(as for what OpenSSH allows to configure).
It completely ignores any interoperability needs with older
clients/servers (i.e. many algos disabled)... and it only allows public
key based auth on the server side.
One might additionally want to disabled any NIST curves from the algos.
Each option prefixed by two "##" is equal to the OpenSSH default value.
Each options which is explicitly set but equal to it's default value
like (e.g. VerifyHostKeyDNS=no) is IMHO directly or indirectly security
relevant, and I set the value explicitly to handle the case that the
hard coded default should change to something less secure in a future
version.
For some it might not be that obvious (StreamLocalBindUnlink=no)
respectively the security impact may be rather low/indirect.
Other explicitly set options (e.g. PrintMotd=no) obviously have no
security influence
Cheers,
Chris.
#calestyo: openssh-server 1:6.7p1-3; 2014-11-05 #******************************************************************************* #*** General *** #******************************************************************************* ##LogLevel INFO ##SyslogFacility AUTH ##PidFile /var/run/sshd.pid ##StrictModes yes #******************************************************************************* #*** System Techniques *** #******************************************************************************* UsePrivilegeSeparation sandbox #******************************************************************************* #*** Networking *** #******************************************************************************* ##AddressFamily any ##Port 22 #TODO: Set addresses. Remove this comment. #ListenAddress localhost #ListenAddress ip6-localhost TCPKeepAlive no ##IPQoS lowdelay throughput ##UseDNS yes ##MaxStartups 10:30:100 ##MaxSessions 10 #******************************************************************************* #*** Secure Shell (SSH) Protocol *** #******************************************************************************* Protocol 2 ##VersionAddendum none ##DebianBanner yes ##Banner #Note: In general, compression may be abused as an oracle for side-channel attacks when attackers can inject chosen-plaintexts into the transferred (and encrypted) data (see for example the CRIME attack). Therefore, compression must not be used when such injection (for example via content like URIs or account names within log files, mails or via uploaded files) into SSH-transferred data (from both, the client or the server) might be possible. If compression is enabled, then only “delayed” compression (algorithm “zlib@openssh.com”) must be used. Compression no ClientAliveInterval 15 ClientAliveCountMax 8 GSSAPIKeyExchange no #TODO: Consider adding “diffie-hellman-group-exchange-sha256” once OpenSSH bugs #2302 (https://bugzilla.mindrot.org/show_bug.cgi?id=2302) and #2303 (https://bugzilla.mindrot.org/show_bug.cgi?id=2303) have been solved. KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 #Note: Non-AEAD cipher algorithms (for example “aes256-ctr”, “aes192-ctr” and “aes128-ctr”) must not be allowed when non-EtM MAC algorithms are used. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr #Note: Non-EtM MAC algorithms should generally not be allowed and must not be allowed when non-AEAD cipher algorithms (for example “aes256-ctr”, “aes192-ctr” and “aes128-ctr”) are used. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com ServerKeyBits 4096 KeyRegenerationInterval 10m RekeyLimit default 1h #******************************************************************************* #*** Server Authentication *** #******************************************************************************* HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_rsa_key #Note: SSH Version 2 DSA host keys are implicitly disabled. ##HostKey /etc/ssh/ssh_host_dsa_key #Note: SSH Version 1 RSA host keys are implicitly disabled. ##HostKey /etc/ssh/ssh_host_key ##HostKeyAgent ##HostCertificate #******************************************************************************* #*** Client Authentication Methods *** #******************************************************************************* PasswordAuthentication no PermitEmptyPasswords no KbdInteractiveAuthentication no ChallengeResponseAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no HostbasedUsesNameFromPacketOnly no KerberosAuthentication no KerberosOrLocalPasswd no ##KerberosGetAFSToken no ##KerberosTicketCleanup yes GSSAPIAuthentication no GSSAPIStrictAcceptorCheck yes ##GSSAPIStoreCredentialsOnRekey no ##GSSAPICleanupCredentials yes RSAAuthentication no PubkeyAuthentication yes IgnoreUserKnownHosts yes IgnoreRhosts yes #******************************************************************************* #*** Client Authentication And Authorisation *** #******************************************************************************* AuthenticationMethods publickey LoginGraceTime 60 MaxAuthTries 4 ##RevokedKeys ##AuthorizedKeysCommand none AuthorizedKeysCommandUser invalid AuthorizedKeysFile .ssh/authorized_keys ##TrustedUserCAKeys ##AuthorizedPrincipalsFile #Note: These directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups #TODO: Set users and groups. Remove this comment. ##DenyUsers #DenyUsers * #AllowUsers nonexistent AllowUsers root ##DenyGroups ##AllowGroups * #TODO: Set whether and how root can log in. The value “yes” should be avoided and “forced-commands-only” or “without-password” considered instead. Remove this comment. #PermitRootLogin no PermitRootLogin without-password #******************************************************************************* #*** Session *** #******************************************************************************* UsePAM yes ##UseLogin no ##PermitTTY yes ##AllowAgentForwarding yes ##PermitUserRC yes AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME PermitUserEnvironment no ##PrintLastLog yes PrintMotd no ##ChrootDirectory ##ForceCommand #******************************************************************************* #*** Forwarding *** #******************************************************************************* ##AllowStreamLocalForwarding yes StreamLocalBindMask 0177 StreamLocalBindUnlink no ##AllowTcpForwarding yes ##PermitOpen any PermitTunnel no X11Forwarding yes X11UseLocalhost yes ##X11DisplayOffset 10 ##XAuthLocation /usr/bin/xauth GatewayPorts no #******************************************************************************* #*** Subsystems *** #******************************************************************************* Subsystem sftp /usr/lib/openssh/sftp-server
#calestyo: openssh-client 1:6.7p1-3; 2014-11-05 Host * #******************************************************************************* #*** General *** #******************************************************************************* ##IgnoreUnknown ##LogLevel INFO ##BatchMode no ##NumberOfPasswordPrompts 3 HashKnownHosts no ##VisualHostKey no #******************************************************************************* #*** Networking *** #******************************************************************************* ##AddressFamily any ##UsePrivilegedPort no ##BindAddress ##Port 22 ##HostName ##CanonicalizeHostname no ##CanonicalDomains ##CanonicalizePermittedCNAMEs CanonicalizeMaxDots 0 ##CanonicalizeFallbackLocal yes TCPKeepAlive no ##IPQoS lowdelay throughput ##ProxyCommand none ##ProxyUseFdpass no ##UseRoaming yes ##ConnectTimeout none ##ConnectionAttempts 1 #******************************************************************************* #*** Secure Shell (SSH) Protocol *** #******************************************************************************* Protocol 2 #Note: This is not set system-widely to a value like “~/.ssh/control-mux/%l_%r@%h:%p” (TODO: plus the “identity symbol” and similar as from #2321) because not every user has a home directory. #TODO: Once OpenSSH bugs #2311 (https://bugzilla.mindrot.org/show_bug.cgi?id=2311) and #2321 (https://bugzilla.mindrot.org/show_bug.cgi?id=2321) have been solved, consider(!) to either set this to a value like “/tmp/ssh-control-mux_%u@%l_%r@%h:%p” (plus the “identity symbol” and similar as from #2321) or change it to the implicit default value of “none” (since it is then no longer security relevant because of #2311). But take into account, that even further things than just the identity (as in #2321) may change the SSH connection (that would result depending on whether control channel multiplexing is used or not) and therefore it may be desired to keep an explicit value of “none”. ControlPath none ##ControlMaster no ControlPersist 1s #Note: In general, compression may be abused as an oracle for side-channel attacks when attackers can inject chosen-plaintexts into the transferred (and encrypted) data (see for example the CRIME attack). Therefore, compression must not be used when such injection (for example via content like URIs or account names within log files, mails or via uploaded files) into SSH-transferred data (from both, the client or the server) might be possible. Compression no ##CompressionLevel 6 ServerAliveInterval 15 ServerAliveCountMax 8 GSSAPIKeyExchange no HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com #TODO: Consider adding “diffie-hellman-group-exchange-sha256” once OpenSSH bugs #2302 (https://bugzilla.mindrot.org/show_bug.cgi?id=2302) and #2303 (https://bugzilla.mindrot.org/show_bug.cgi?id=2303) have been solved. KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 ##Cipher 3des #Note: Non-AEAD cipher algorithms (for example “aes256-ctr”, “aes192-ctr” and “aes128-ctr”) must not be allowed when non-EtM MAC algorithms are used. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr #Note: Non-EtM MAC algorithms should generally not be allowed and must not be allowed when non-AEAD cipher algorithms (for example “aes256-ctr”, “aes192-ctr” and “aes128-ctr”) are used. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com RekeyLimit default 1h #******************************************************************************* #*** Server Authentication *** #******************************************************************************* StrictHostKeyChecking yes CheckHostIP yes VerifyHostKeyDNS no NoHostAuthenticationForLocalhost no GlobalKnownHostsFile /etc/ssh/ssh_known_hosts UserKnownHostsFile ~/.ssh/known_hosts ##HostKeyAlias #******************************************************************************* #*** Client Authentication Methods *** #******************************************************************************* ##PasswordAuthentication yes ##KbdInteractiveAuthentication yes ##KbdInteractiveDevices ##ChallengeResponseAuthentication yes ##RhostsRSAAuthentication no ##HostbasedAuthentication no EnableSSHKeysign no ##GSSAPIAuthentication no GSSAPIDelegateCredentials no GSSAPIRenewalForcesRekey no GSSAPITrustDns no ##GSSAPIClientIdentity ##GSSAPIServerIdentity RSAAuthentication no ##PubkeyAuthentication yes #******************************************************************************* #*** Client Authentication And Authorisation *** #******************************************************************************* PreferredAuthentications gssapi-keyex,gssapi-with-mic,hostbased,publickey,keyboard-interactive,password ##IdentitiesOnly no #Note: Identities are presented to SSH servers in the order as they are specified in the SSH client configuration and followed by identities provided by the SSH authentication agent. IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ecdsa IdentityFile ~/.ssh/id_rsa #Note: SSH Version 2 DSA identities are implicitly disabled. #IdentityFile ~/.ssh/id_dsa #Note: SSH Version 1 RSA identities are implicitly disabled. #IdentityFile ~/.ssh/identity ##PKCS11Provider ##User #******************************************************************************* #*** Session *** #******************************************************************************* ##RequestTTY auto ForwardAgent no SendEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME ##EscapeChar ~ PermitLocalCommand no ##LocalCommand none #******************************************************************************* #*** Forwarding *** #******************************************************************************* StreamLocalBindMask 0177 StreamLocalBindUnlink no Tunnel no ##TunnelDevice any:any ForwardX11 no ForwardX11Trusted no ForwardX11Timeout 0s ##XAuthLocation /usr/bin/xauth ExitOnForwardFailure yes ##ClearAllForwardings no GatewayPorts no ##LocalForward ##RemoteForward ##DynamicForward
Attachment:
smime.p7s
Description: S/MIME cryptographic signature