Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ssh for more hardening #7

Merged
merged 3 commits into from Sep 7, 2017

Conversation

Projects
None yet
2 participants
@jpluimers
Copy link
Contributor

commented Aug 17, 2017

I've applied some more sshd_config hardening from these sources:

One of the things it does is remove any leading comment # on those lines (I needed this because SuSE has most settings behind comment hashes).

Update ssh for more hardening
I've applied some more `sshd_config` hardening from these sources:

- http://people.redhat.com/swells/mea/SECSCAN-FirstRun/sshd_config.htm
- http://wp.kjro.se/2013/09/06/hardening-your-ssh-server-opensshd_config
- http://kacper.blog.redpill-linpro.com/archives/702
- https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

One of the things it does is remove any leading comment `#` on those lines (I needed this because SuSE has most settings behind comment hashes).
modules/ssh Outdated
-e 's/#\?ChallengeResponseAuthentication *\(yes\|no\).*/ChallengeResponseAuthentication yes/' \
-e 's/#\?KerberosAuthentication *\(yes\|no\).*/KerberosAuthentication no/' \
-e 's/#\?GSSAPIAuthentication *\(yes\|no\).*/GSSAPIAuthentication no/' \
-e 's/#\?GatewayPorts *\(yes\|no\).*/GatewayPorts no/' \

This comment has been minimized.

Copy link
@comotion

comotion Sep 4, 2017

Owner

Most of the improvements are sane, but sometimes X11 forwarding and gateway ports are used, so setting this as a global policy will get in the way.

This comment has been minimized.

Copy link
@jpluimers

jpluimers Sep 5, 2017

Author Contributor

So if I amend this merge request with a commit that:

  1. comments out the lines with GatewayPorts and X11Forwarding ,
  2. adding a descriptive comment text why,

the merge request is OK for you?

This comment has been minimized.

Copy link
@comotion

comotion Sep 6, 2017

Owner

yes, I like the rest.

This comment has been minimized.

Copy link
@jpluimers

jpluimers Sep 7, 2017

Author Contributor

Done. See the new commit.

jpluimers added some commits Sep 7, 2017

No auto-disable of GatewayPorts and X11Forwarding
Do not automatically disable `GatewayPorts` and `X11Forwarding` as sometimes they are used.

Added them as a commented `sed` call so users can uncomment when they don't use `GatewayPorts` and `X11Forwarding`.
Left too much of the review comment
Forgot to remove the review comment. Now it's gone.

@comotion comotion merged commit 1ae853a into comotion:github Sep 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.