[enh] Improve SSHd config / ciphers #436
Conversation
Recomendation from this link: https://stribika.github.io/2015/01/04/secure-secure-shell.html Use this tool for test: https://github.com/arthepsy/ssh-audit
data/templates/ssh/sshd_config
Outdated
| @@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
| Protocol 2 | |||
| # HostKeys for protocol version 2 | |||
| HostKey /etc/ssh/ssh_host_rsa_key | |||
| HostKey /etc/ssh/ssh_host_dsa_key | |||
| HostKey /etc/ssh/ssh_host_ed25519_key | |||
| #HostKey /etc/ssh/ssh_host_dsa_key | |||
There was a problem hiding this comment.
isn't this modification going to trigger a warning like "the key of this server has changed"?
There was a problem hiding this comment.
+1 ... we really need to test this carefully
There was a problem hiding this comment.
Could break some people using external automated tools to connect to their server (borg, nagios?, may be personnal cron)
There was a problem hiding this comment.
It was a bad idea to comments this lines. It's true sorry 👍 . This will generate a warning for an existing configuration.
|
Thanks for this PR ❤️ |
There was a problem hiding this comment.
Those are probably good improvements, but this is a really touchy topic. I expect that, for the majority of instances, SSH is the only way to "really" access the server and be able to edit files. So if somehow the configuration is messed up or clients have incompatibilities with this, users might get locked out (though they might still have access to the webadmin but that's no help here). So we really need some extensive testing on this 😕 ...
Also we should really consider taking care of https://dev.yunohost.org/issues/1110 , otherwise updating this file will only affect people who installed from the x86 ISO ...
| # Algorimthm limitation | ||
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
There was a problem hiding this comment.
Please add a comment to specify the recommendation where those are coming from
There was a problem hiding this comment.
I suggest to put nothing to follow ciphers from debian / Openssh-server default conf, we can't be sure we will think to update this ciphers list
| #Privilege Separation is turned on for security | ||
| UsePrivilegeSeparation yes | ||
|
|
||
| # Lifetime and size of ephemeral version 1 server key | ||
| KeyRegenerationInterval 3600 | ||
| ServerKeyBits 768 | ||
| ServerKeyBits 1024 |
There was a problem hiding this comment.
Is this going to trigger a key regeneration ?
There was a problem hiding this comment.
In Protocol 2 this instruction is ignored
data/templates/ssh/sshd_config
Outdated
| @@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
| Protocol 2 | |||
| # HostKeys for protocol version 2 | |||
| HostKey /etc/ssh/ssh_host_rsa_key | |||
| HostKey /etc/ssh/ssh_host_dsa_key | |||
| HostKey /etc/ssh/ssh_host_ed25519_key | |||
| #HostKey /etc/ssh/ssh_host_dsa_key | |||
There was a problem hiding this comment.
+1 ... we really need to test this carefully
There was a problem hiding this comment.
Everything is ok for me. For the documentation/source of the cyphers and the conf, it's surely here : https://cipherli.st/
Thanks for the PR.
|
For info : "The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its RSA key." |
| @@ -28,7 +35,7 @@ StrictModes yes | |||
|
|
|||
| RSAAuthentication yes | |||
| PubkeyAuthentication yes | |||
| #AuthorizedKeysFile %h/.ssh/authorized_keys | |||
| AuthorizedKeysFile %h/.ssh/authorized_keys | |||
There was a problem hiding this comment.
%h/.ssh/authorized_keys is the default value, so this line is not needed
| @@ -9,13 +9,20 @@ ListenAddress 0.0.0.0 | |||
| Protocol 2 | |||
| # HostKeys for protocol version 2 | |||
| HostKey /etc/ssh/ssh_host_rsa_key | |||
| HostKey /etc/ssh/ssh_host_ed25519_key | |||
Recomendation from this link:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Use this tool for test:
https://github.com/arthepsy/ssh-audit
The problem
...
Solution
...
PR Status
...
How to test
...
Validation