Source: openssh
Severity: critical
Tags: patch security
Justification: root security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
The latest batch of Snowden documents[1] has shown that misbehaving
nationstates can decrypt many of the SSH ciphers at least some of the
time. Every debian system ships with openssh-server and many rely on
openssh in varied environments. The Debian defaults should be changed
to fix this vulnerability.
The attached patch updates openssh-server debian defaults through the
postinst script according to bettercrypto.org[2], stribika[3] and my own
work [4] by doing the following:
- - only uses known secure Ciphers, KexAlgorithms and MACs
- - deletes moduli smaller than 2048-bits
- - disables known-insecure NIST ECDSA keys, Protocol 1 keys and 1024-bit
DSA keys
- - generates 4096-bit RSA host keys by default
(instead of the upstream default 2048)
Regards,
Kacper Wysocki
[1] http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
[2] http://bettercrypto.org/
[3] https://stribika.github.io/2015/01/04/secure-secure-shell.html
[4] http://kacper.blog.redpill-linpro.com/archives/702
- -- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
diff -burd openssh-6.7p1.orig/debian/openssh-server.postinst openssh-6.7p1/debian/openssh-server.postinst
--- openssh-6.7p1.orig/debian/openssh-server.postinst 2014-11-03 21:29:20.000000000 +0100
+++ openssh-6.7p1/debian/openssh-server.postinst 2015-01-07 18:12:15.867093225 +0100
@@ -82,14 +82,12 @@
# defaults depending on the setting of Protocol.
protocol="$(get_config_option Protocol)"
[ "$protocol" ] || protocol=1,2
- if echo "$protocol" | grep 1 >/dev/null; then
- echo /etc/ssh/ssh_host_key
- fi
if echo "$protocol" | grep 2 >/dev/null; then
echo /etc/ssh/ssh_host_rsa_key
- echo /etc/ssh/ssh_host_dsa_key
- echo /etc/ssh/ssh_host_ecdsa_key
echo /etc/ssh/ssh_host_ed25519_key
+ elif echo "$protocol" | grep 1 >/dev/null; then
+ # no choice but fall back to proto 1
+ echo /etc/ssh/ssh_host_key
fi
fi
}
@@ -115,23 +113,34 @@
fi
}
-
create_keys() {
hostkeys="$(host_keys_required)"
- create_key "Creating SSH1 key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
-
create_key "Creating SSH2 RSA key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
- create_key "Creating SSH2 DSA key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
- create_key "Creating SSH2 ECDSA key; this may take some time ..." \
- "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}
+filter_keys() {
+ hostkeys="$(host_keys_required)"
+ protocol="$(get_config_option Protocol)"
+ if echo "$protocol" | grep 2 >/dev/null &&
+ echo "$hostkeys" | grep 'HostKey .*ssh_host_rsa_key' >/dev/null 2>&1 ||
+ echo "$hostkeys" | grep 'HostKey .*ssh_host_ed25519_key' >/dev/null 2>&1; then
+ # protocol 1 is known broken, DSA is only 1024bit large, and ECDSA uses the NIST curves,
+ # so remove all of them
+ grep -ev '^ *HostKey .*ssh_host_(ecdsa|dsa)_key.*|^ *HostKey .*ssh_host_key.*' /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+
+ chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+ mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+ else
+ echo "Warning, you do not have any secure keys enabled in your SSH config" >&2
+ fi
+}
+
+
fix_loglevel_silent() {
if [ "$(get_config_option LogLevel)" = SILENT ]; then
@@ -183,8 +192,6 @@
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@@ -193,6 +200,11 @@
KeyRegenerationInterval 3600
ServerKeyBits 1024
+# Better Crypto to counter bad state actors
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
# Logging
SyslogFacility AUTH
LogLevel INFO
@@ -314,6 +326,32 @@
db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
set_config_option PermitRootLogin without-password
fi
+ if dpkg --compare-versions "$2" lt-nl 1:6.7p1-4; then
+ filter_keys
+ # upgrade kexalgorithm, ciphers and macs, but only when unset
+ if [ -z "$(get_config_option KexAlgorithms)" ]; then
+ set_config_option KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+ fi
+ if [ -z "$(get_config_option Ciphers)" ]; then
+ set_config_option Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes128-ctr
+ fi
+ if [ -z "$(get_config_option MACs)" ]; then
+ set_config_option MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ fi
+ # delete small moduli
+ if [ -f /etc/ssh/moduli ]; then
+ awk '{ if ($5 > 2000){ print } }' /etc/ssh/moduli > /etc/ssh/moduli.dpkg-new
+ chown --reference /etc/ssh/moduli /etc/ssh/moduli.dpkg-new
+ chmod --reference /etc/ssh/moduli /etc/ssh/moduli.dpkg-new
+ mv /etc/ssh/moduli.dpkg-new /etc/ssh/moduli
+ else
+ echo "Generating moduli, this will take a long time.."
+ ssh-keygen -G /tmp/moduli -b 4096
+ ssh-keygen -T /etc/ssh/moduli -f /tmp/moduli
+ rm /tmp/moduli
+ fi
+
+ fi
fi
#DEBHELPER#
Attachment:
signature.asc
Description: Digital signature