Merge "openssh-server: harden sshd config"

This commit is contained in:
Zuul 2019-05-07 19:35:41 +00:00 committed by Gerrit Code Review
commit 4665e79245
3 changed files with 41 additions and 0 deletions

View File

@ -3,6 +3,10 @@ openssh-server
============== ==============
This element ensures that openssh server is installed and enabled during boot. This element ensures that openssh server is installed and enabled during boot.
To disable hardening of sshd configuration, you have to set
``DIB_OPENSSH_SERVER_HARDENING`` to 0. This option will configure KexAlgorithms,
Ciphers and MAC following good pratices on
https://infosec.mozilla.org/guidelines/openssh
Note Note
---- ----

View File

@ -0,0 +1,30 @@
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then
macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
if ! grep -qE "^MACs" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config
elif ! grep -qE "$macs" /etc/ssh/sshd_config; then
sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config
fi
if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config
elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then
sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config
fi
if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then
sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config
elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then
sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config
fi
fi

View File

@ -0,0 +1,7 @@
---
security:
- a new post-install script was added in openssh-server element to ensure
KexAlgorithms, Ciphers and MACs for sshd_config will be configured following
good pratices on https://infosec.mozilla.org/guidelines/openssh. This option
is activated by default, users can set DIB_OPENSSH_SERVER_HARDENING to 0 to
disable this sshd configuration