sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssh-server: harden sshd config

Browse Source 
Harden sshd configuration by adding KexAlgorithms, Ciphers and MACs for sshd,
following good pratices on https://infosec.mozilla.org/guidelines/openssh

Change-Id: I3051320d867a5033e82deef10c5e723ca9829884
Co-Authored-By: Nicolas Hicher <nhicher@redhat.com>
This commit is contained in:
Tristan Cacqueray 2019-04-19 00:57:10 +00:00 committed by Nicolas Hicher
parent b9e322f2d3
commit 11ec95b779
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
diskimage_builder/elements/openssh-server/README.rst
View File

@ -3,6 +3,10 @@ openssh-server
============== ==============
This element ensures that openssh server is installed and enabled during boot. This element ensures that openssh server is installed and enabled during boot.
To disable hardening of sshd configuration, you have to set
``DIB_OPENSSH_SERVER_HARDENING`` to 0. This option will configure KexAlgorithms,
Ciphers and MAC following good pratices on
https://infosec.mozilla.org/guidelines/openssh
Note Note
---- ----

30
diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then
macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
if ! grep -qE "^MACs" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config
elif ! grep -qE "$macs" /etc/ssh/sshd_config; then
sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config
fi
if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config
elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then
sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config
fi
if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config
elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then
sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config
fi
fi

7
releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- a new post-install script was added in openssh-server element to ensure
KexAlgorithms, Ciphers and MACs for sshd_config will be configured following
good pratices on https://infosec.mozilla.org/guidelines/openssh. This option
is activated by default, users can set DIB_OPENSSH_SERVER_HARDENING to 0 to
disable this sshd configuration