openssh-server: harden sshd config
Harden sshd configuration by adding KexAlgorithms, Ciphers and MACs for sshd, following good pratices on https://infosec.mozilla.org/guidelines/openssh Change-Id: I3051320d867a5033e82deef10c5e723ca9829884 Co-Authored-By: Nicolas Hicher <nhicher@redhat.com>
This commit is contained in:
parent
b9e322f2d3
commit
11ec95b779
@ -3,6 +3,10 @@ openssh-server
|
|||||||
==============
|
==============
|
||||||
This element ensures that openssh server is installed and enabled during boot.
|
This element ensures that openssh server is installed and enabled during boot.
|
||||||
|
|
||||||
|
To disable hardening of sshd configuration, you have to set
|
||||||
|
``DIB_OPENSSH_SERVER_HARDENING`` to 0. This option will configure KexAlgorithms,
|
||||||
|
Ciphers and MAC following good pratices on
|
||||||
|
https://infosec.mozilla.org/guidelines/openssh
|
||||||
|
|
||||||
Note
|
Note
|
||||||
----
|
----
|
||||||
|
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
set -eu
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then
|
||||||
|
macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
|
||||||
|
ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
|
||||||
|
kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
|
||||||
|
|
||||||
|
if ! grep -qE "^MACs" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config
|
||||||
|
elif ! grep -qE "$macs" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config
|
||||||
|
elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config
|
||||||
|
elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then
|
||||||
|
sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- a new post-install script was added in openssh-server element to ensure
|
||||||
|
KexAlgorithms, Ciphers and MACs for sshd_config will be configured following
|
||||||
|
good pratices on https://infosec.mozilla.org/guidelines/openssh. This option
|
||||||
|
is activated by default, users can set DIB_OPENSSH_SERVER_HARDENING to 0 to
|
||||||
|
disable this sshd configuration
|
Loading…
Reference in New Issue
Block a user