New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[enh] Improve SSHd config / ciphers #436
Conversation
Recomendation from this link: https://stribika.github.io/2015/01/04/secure-secure-shell.html Use this tool for test: https://github.com/arthepsy/ssh-audit
data/templates/ssh/sshd_config
Outdated
@@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
Protocol 2 | |||
# HostKeys for protocol version 2 | |||
HostKey /etc/ssh/ssh_host_rsa_key | |||
HostKey /etc/ssh/ssh_host_dsa_key | |||
HostKey /etc/ssh/ssh_host_ed25519_key | |||
#HostKey /etc/ssh/ssh_host_dsa_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't this modification going to trigger a warning like "the key of this server has changed"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 ... we really need to test this carefully
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could break some people using external automated tools to connect to their server (borg, nagios?, may be personnal cron)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was a bad idea to comments this lines. It's true sorry 👍 . This will generate a warning for an existing configuration.
Thanks for this PR ❤️ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are probably good improvements, but this is a really touchy topic. I expect that, for the majority of instances, SSH is the only way to "really" access the server and be able to edit files. So if somehow the configuration is messed up or clients have incompatibilities with this, users might get locked out (though they might still have access to the webadmin but that's no help here). So we really need some extensive testing on this 😕 ...
Also we should really consider taking care of https://dev.yunohost.org/issues/1110 , otherwise updating this file will only affect people who installed from the x86 ISO ...
# Algorimthm limitation | ||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment to specify the recommendation where those are coming from
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest to put nothing to follow ciphers from debian / Openssh-server default conf, we can't be sure we will think to update this ciphers list
#Privilege Separation is turned on for security | ||
UsePrivilegeSeparation yes | ||
|
||
# Lifetime and size of ephemeral version 1 server key | ||
KeyRegenerationInterval 3600 | ||
ServerKeyBits 768 | ||
ServerKeyBits 1024 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this going to trigger a key regeneration ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In Protocol 2 this instruction is ignored
data/templates/ssh/sshd_config
Outdated
@@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
Protocol 2 | |||
# HostKeys for protocol version 2 | |||
HostKey /etc/ssh/ssh_host_rsa_key | |||
HostKey /etc/ssh/ssh_host_dsa_key | |||
HostKey /etc/ssh/ssh_host_ed25519_key | |||
#HostKey /etc/ssh/ssh_host_dsa_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 ... we really need to test this carefully
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything is ok for me. For the documentation/source of the cyphers and the conf, it's surely here : https://cipherli.st/
Thanks for the PR.
For info : "The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its RSA key." |
@@ -28,7 +35,7 @@ StrictModes yes | |||
|
|||
RSAAuthentication yes | |||
PubkeyAuthentication yes | |||
#AuthorizedKeysFile %h/.ssh/authorized_keys | |||
AuthorizedKeysFile %h/.ssh/authorized_keys |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
%h/.ssh/authorized_keys is the default value, so this line is not needed
@@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
Protocol 2 | |||
# HostKeys for protocol version 2 | |||
HostKey /etc/ssh/ssh_host_rsa_key | |||
HostKey /etc/ssh/ssh_host_ed25519_key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK
Recomendation from this link:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Use this tool for test:
https://github.com/arthepsy/ssh-audit
The problem
...
Solution
...
PR Status
...
How to test
...
Validation