From 11ec95b77969bcc29a5e305ec18ee0ce87ab3cb8 Mon Sep 17 00:00:00 2001 From: Tristan Cacqueray Date: Fri, 19 Apr 2019 00:57:10 +0000 Subject: [PATCH] openssh-server: harden sshd config Harden sshd configuration by adding KexAlgorithms, Ciphers and MACs for sshd, following good pratices on https://infosec.mozilla.org/guidelines/openssh Change-Id: I3051320d867a5033e82deef10c5e723ca9829884 Co-Authored-By: Nicolas Hicher --- .../elements/openssh-server/README.rst | 4 +++ .../post-install.d/99-harden-sshd-config | 30 +++++++++++++++++++ .../harden-sshd-config-3f84556136014f95.yaml | 7 +++++ 3 files changed, 41 insertions(+) create mode 100755 diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config create mode 100644 releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml diff --git a/diskimage_builder/elements/openssh-server/README.rst b/diskimage_builder/elements/openssh-server/README.rst index 7190deab..45192152 100644 --- a/diskimage_builder/elements/openssh-server/README.rst +++ b/diskimage_builder/elements/openssh-server/README.rst @@ -3,6 +3,10 @@ openssh-server ============== This element ensures that openssh server is installed and enabled during boot. +To disable hardening of sshd configuration, you have to set +``DIB_OPENSSH_SERVER_HARDENING`` to 0. This option will configure KexAlgorithms, +Ciphers and MAC following good pratices on +https://infosec.mozilla.org/guidelines/openssh Note ---- diff --git a/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config b/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config new file mode 100755 index 00000000..ddb541ca --- /dev/null +++ b/diskimage_builder/elements/openssh-server/post-install.d/99-harden-sshd-config @@ -0,0 +1,30 @@ +#!/bin/bash +if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then + macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" + ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" + + if ! grep -qE "^MACs" /etc/ssh/sshd_config; then + sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config + elif ! grep -qE "$macs" /etc/ssh/sshd_config; then + sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config + fi + + if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then + sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config + elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config + fi + + if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then + sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config + elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then + sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config + fi +fi diff --git a/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml b/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml new file mode 100644 index 00000000..03edf3ee --- /dev/null +++ b/releasenotes/notes/harden-sshd-config-3f84556136014f95.yaml @@ -0,0 +1,7 @@ +--- +security: + - a new post-install script was added in openssh-server element to ensure + KexAlgorithms, Ciphers and MACs for sshd_config will be configured following + good pratices on https://infosec.mozilla.org/guidelines/openssh. This option + is activated by default, users can set DIB_OPENSSH_SERVER_HARDENING to 0 to + disable this sshd configuration