Update and add annotations to sshd config for servers #5666
Conversation
emkll
force-pushed
the
5660-sshd-config-focal
branch
from
57af90a
to
2609cce
Compare
Codecov Report
@@ Coverage Diff @@
## develop #5666 +/- ##
===========================================
- Coverage 85.46% 81.41% -4.06%
===========================================
Files 51 53 +2
Lines 3709 3965 +256
Branches 464 496 +32
===========================================
+ Hits 3170 3228 +58
- Misses 439 632 +193
- Partials 100 105 +5
Continue to review full report at Codecov.
|
|
One minor note, would it be worth making an accompanying docs change specifically in https://docs.securedrop.org/en/stable/servers.html?highlight=ssh-keygen to use ed25519 for new installs?? |
|
Tested on prod VMs (using existing instructions to generate an RSA SSH key on the workstation):
Removing the |
| # Cipher selection | ||
|
|
||
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr | ||
| HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 |
There was a problem hiding this comment.
It looks like this ordering forces a new host key to be generated when the new config is applied. Since ECDSA is being removed altogether I don't see that there's a way around this in Xenial. It might make sense to have tailsconfig remove the old host key entries on the workstation if found, and alert the user that they can expect to see prompts on their first SSH/playbook run.
This might also be an issue in Focal, in a default configuration, the Host key is still ECDSA. We could preserve the same host key preferences as the previous sshd_config: Given by default ssh is exposed Tor, which provides a second layer of authentication via authenticated onion services, or only exposed through a local network, we could simply preserve ECDSA / distribution defaults for host keys. I will look into @zenmonkeykstop 's suggestion above, and use Ansible to
This might need to be done before the reboot action, so in the main Ansible playbook |
Preserving as-is seems the most straightforward. Certainly for Xenial, there's no pressing need to change the config. For Focal, ideally we'd have a stronger default, but the gains from v2 -> v3 onions are pretty great already, and v3 is required for Focal. So I don't think we need to block on managing the host keys, as long as you're comfortable backing out on the defaults for now, @emkll. It does strike me as worthwhile to consider hostkey management outside the context of config updates: on first install, the same hostkey for the IPv4 address must be re-confirmed for the ssh onions, which we needn't prompt admins to configure. Still, I don't think that work needs to go into this PR. We can file a separate issue for it, and address if it proves to be a sticking point during testing the backup-and-restore flow as part of the LTS upgrade path. |
- Update supported algorthms - Disable some agent forwarding and tunnelling options - Annotate and reorder configuration for readability Sources: - https://github.com/dev-sec/ansible-ssh-hardening - https://github.com/arthepsy/ssh-audit
ECDSA will be used by defaut for the client to authenticate the host. Tor Onion Services will also provide another layer of authentication, when using ssh over Tor.
emkll
force-pushed
the
5660-sshd-config-focal
branch
from
d4f1643
to
54abdb2
Compare
|
This is ready for re-review, however the docs update identified in #5666 (comment) is still pending |
|
|
||
| # Cipher selection | ||
|
|
||
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr |
There was a problem hiding this comment.
Do we really need chacha20-poly1305@openssh.com?
chacha20 is specially being used from the cheap phones which does not have good hardware. And our users will use Tails on proper hardware to ssh.
- As pointed out by @kushaldas, chacha20-poly1305 mostly mobile-specific cipher, and while historically present in the sshd configuration for SecureDrop, is not necessary to support Debian-based ssh clients. - The UsePrivilegeSeparation option has been deprecated in OpenSSH 7.5 [1]. UsePrivilegeSeparation has defaulted to 'sandbox' since 6.1 [2] and to 'yes' since 3.3 [3]. [1] https://www.openssh.com/txt/release-7.5 [2] https://www.openssh.com/txt/release-6.1 [3] https://www.openssh.com/txt/release-3.3
There was a problem hiding this comment.
- provided config is good / adheres to best practices
- provided config is adequately annotated
- provided config eliminates log message described in Update sshd config for Focal #5660
- on an existing Xenial install the config is applied properly when an Ansible run occurs
I tested manually with ssh over Tor on both Focal and Xenial. Works as expected. Approving. ~ Will merge after standup.~ @conorsch do you think is it ready for merge?
conorsch
dismissed
zenmonkeykstop’s stale review
Concerns raised have been addressed: specifically, the changes to hostkey algos were backed out
Status
Work in progress
Description of Changes
Fixes #5660
Sources:
Testing
Deployment
New installs
The sshd configuration will be applied on new installs via Ansible
Existing installs
Existing installs will not be updated unattended, but applied when an Ansible run occurs
Checklist
If you made non-trivial code changes:
Choose one of the following: