Limiting attack surface for Debian sshd
Hello,
systemd dependancies that are activated on a Debian system imply a lot
of library injections into sshd, much more than the stock OpenBSD ssh.
To avoid this, there seem to be two approaches:
- remove those dependancies (see below)
- confine the impact of those dependancies, as proposed
by some developpers, in having those dependancies confined
(not examined here)
To solve this, I could use a Bastion host with a limited, non Debian,
OS, or I could recompile the OpenSSH package on Debian with options
disabled.
Doing the latter, I have much more dependancies (**)
4d3
< libcom_err.so.2
9,18d7
< libgcrypt.so.20
< libgpg-error.so.0
< libgssapi_krb5.so.2
< libk5crypto.so.3
< libkeyutils.so.1
< libkrb5.so.3
< libkrb5support.so.0
< liblz4.so.1
< liblzma.so.5
< libnsl.so.2
22,23d10
< libresolv.so.2
< librt.so.1
25,26d11
< libsystemd.so.0
< libtirpc.so.3
28d12
< libwrap.so.0
30d13
< libzstd.so.1
What do you think about this approach?
Thank you for your comments.
(*) on Debian bullseye:
mkdir /tmp/tt
cd /tmp/tt
apt-get source openssh
cd openssh-8.4p1/
# openbsd-doc does not apply cleanly after
sed -i '/^systemd-readiness.patch/d;/^restore-tcp-wrappers.patch/d;/^openbsd-docs.patch/d' debian/patches/series
rm debian/patches/{systemd-readiness.patch,restore-tcp-wrappers.patch,openbsd-docs.patch}
patch debian/rules <<'EOF'
schaefer@reliant:/tmp/tt/openssh-8.4p1$ diff -uP debian/rules.ORIG debian/rules
--- debian/rules.ORIG 2025-04-11 19:35:13.568132105 +0200
+++ debian/rules 2025-04-11 19:37:01.355078815 +0200
@@ -73,20 +73,16 @@
confflags_udeb := $(confflags)
# Options specific to the deb build.
-confflags += --with-tcp-wrappers
confflags += --with-pam
confflags += --with-libedit
-confflags += --with-kerberos5=/usr
confflags += --with-ssl-engine
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
confflags += --with-audit=linux
-confflags += --with-systemd
confflags += --with-security-key-builtin
endif
-# The deb build wants xauth; the udeb build doesn't.
-confflags += --with-xauth=/usr/bin/xauth
+confflags += --without-xauth
confflags_udeb += --without-xauth
# Default paths. The udeb build has /usr/games removed.
EOF
# -b: avoid source package creation, changelog, etc
dpkg-buildpackage -b -rfakeroot -us -uc
(**) demo:
mkdir /tmp/tt2
cd /tmp/tt2
dpkg-deb -x ../tt/openssh-server_*.deb .
diff <(ldd /usr/sbin/sshd | awk '{print $1;}' | sort) <(ldd usr/sbin/sshd | awk '{print $1;}' | sort)
Reply to: