Summary: | ansible: Integrate OpenSSH configuration | ||
---|---|---|---|
Product: | Infrastructure | Reporter: | Michael Tremer <michael.tremer> |
Component: | --- | Assignee: | Timo Eissler <morlix> |
Status: | CLOSED FIXED | QA Contact: | Peter Müller <peter.mueller> |
Severity: | - Unknown - | ||
Priority: | - Unknown - | CC: | morlix, peter.mueller |
Version: | unspecified | Keywords: | Security |
Hardware: | unspecified | ||
OS: | Unspecified | ||
See Also: | https://bugzilla.ipfire.org/show_bug.cgi?id=11538 | ||
Bug Depends on: | |||
Bug Blocks: | 11640 | ||
Attachments: |
Example sshd_config file
Custom OpenSSH server configuration for IPFire Updated custom OpenSSH server configuration for IPFire Updated custom OpenSSH server configuration for IPFire custom OpenSSH client configuration for IPFire |
Description
Michael Tremer
2018-02-26 19:47:25 UTC
Do we have to talk about the config or do you have one already? We don't have a configuration file yet, but I am sure Peter has some input on this... Created attachment 588 [details]
Example sshd_config file
This is what I use on my servers (could be cleaned up a bit, but I didn't had time to do it yet).
(In reply to Peter Müller from comment #3) > Created attachment 588 [details] > Example sshd_config file > > This is what I use on my servers (could be cleaned up a bit, but I didn't > had time to do it yet). Of couse, setting SSH to an high port is not _that_ effective, but avoids some noise in the log files. High ports vary here, but it is better to be consistent. 22 is fine. We don't have SSH open towards the Internet with exception on the Git server on which it has to be on 22 or nobody will be able to use it. Okay, I will post a more compact version of the sshd_config file. Two remarks: (a) I consider password authentication being insecure, complex, and completely unnecessary so it is disabled in my example. Could we do so for the IPFire infrastrucutre, too? (b) Further, remote logins as root should be avoided in my point of view. Use "sudo" instead. Does that suit you? In general, I would prefer a more restrictive configuration here since SSH is a well-known attack vector. a) Since we do not have SSH key access properly set up with LDAP yet, I think we need to keep password authentication enabled. As soon as we have SSH agent forwarding enabled everywhere and everyone has their keys uploaded, then we can move towards disabling it. b) Yes, again, we have this all planned, but we need LDAP integration first so that we can give root access to people who need it. I decided to deploy a "complete" configuration with ansible instead of changing specific parameters because this seems to be the easier and more robust way. Currently i would deploy a mixture of the CentOS 7 default sshd config and the configuration from Peter. -> Done. Created attachment 609 [details]
Custom OpenSSH server configuration for IPFire
Sorry for being late on this - I hope it is not too late. :-\
Attached is an updated OpenSSH server configuration which is more clean and straight-forward than the original one. It is more or less what I use on my systems, except for automatic termination of ilde sessions (Michael did not appreciate that).
Please note I dropped RSA keys since I consider them to be deprecated - ECC crypto is more faster on both server and client, and except for some outdated or buggy SSH clients (PuTTY?) I did not encounter and problems. Change this if needed by adding
HostKey /etc/ssh/ssh_host_rsa_key
to the configuration.
Let me know if there are any questions. As mentioned, sorry for being so late all the time.
(In reply to Peter Müller from comment #9) > Created attachment 609 [details] > Custom OpenSSH server configuration for IPFire > > Sorry for being late on this - I hope it is not too late. :-\ We have a few systems where we rolled out the changes already and test. So we would have to do that again before we would be ready to roll this out everywhere. > Attached is an updated OpenSSH server configuration which is more clean and > straight-forward than the original one. It is more or less what I use on my > systems, except for automatic termination of ilde sessions (Michael did not > appreciate that). Absolutely not. > Please note I dropped RSA keys since I consider them to be deprecated - ECC > crypto is more faster on both server and client, and except for some > outdated or buggy SSH clients (PuTTY?) I did not encounter and problems. NACK. RSA might not be the best we have right now, but it is widely used and there is no signs RSA is becoming weak (given long enough keys). Please keep this enabled. > Change this if needed by adding > > HostKey /etc/ssh/ssh_host_rsa_key > > to the configuration. Created attachment 610 [details] Updated custom OpenSSH server configuration for IPFire Attached is an updated version of OpenSSH server configuation. Changes are as follows: - Enabled RSA keys again and adjust correspondending comment - Remove "MaxSession" limit (was 5 per user before) - Set timeout for successful authentication to 30 seconds (before: 20 sec) Changes 2 and 3 were made because of Michaels post on the development mailing list (https://lists.ipfire.org/pipermail/development/2018-August/004726.html). Created attachment 631 [details]
Updated custom OpenSSH server configuration for IPFire
Attached is an updated version of the OpenSSH server configuration file. It is more consistent to the version used in IPFire 2.x now.
Ciphers have been updated so compatibility with some legacy clients (RHEL) is working again. From my point of view, this version can be distributed via Ansible in our infrastructure.
Created attachment 632 [details]
custom OpenSSH client configuration for IPFire
Added OpenSSH client configuration file (to be placed in /etc/ssh/ssh_config , users may override it by setting up local SSH client configurations).
Crypto algorithm are consistent to the list choosen for OpenSSH server.
Did you test if CentOS 7 supports all these new ciphers? OpenSSH server on CentOS 7 supports all of them: [pmueller@git01 ~]$ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com As far as I am aware, all modern (OpenSSH > 6.5) distributions do so. Done in common role. |