This is an umbrella bug for hardening the OpenSSH server in IPFire.
TODO list: - enable "StrictMode" in config? (does this break anything?) - specify cipher suite list - never permit empty passwords - set "MaxAuthTries" to suitable value (proposal: 3) - disabling password authentication is not fully applied - disable forwarding (people should use VPN or firewall rules instead) -> disable port forwarding via SSH, too (highly dangerous) - set "MaxSessions" limit (proposal: 5) - always ignore ~/.rhosts - close inactive SSH sessions? (proposal: after 10 minutes idle) - display active sessions in the WebUI - unset password authentication as default in WebUI? - smaller formatting issue of keys in WebUI - remote login as root is ugly - change "ListenAddress"? (never listen on RED or ORANGE) - openssh is outdated, Marcel sent in a patch for this some time ago - make sure Guardian catches all necessary openssh log entries - [and some more things I forgot here] Some of these points are already done by the openssh default config, but not listed in /etc/ssh/sshd_config explicitely. The general question here is wether to ship a custom config file or just take that one of ssh and replace values with sed. Further information: https://man.openbsd.org/sshd_config Will think about this and do some research within next week.
Further reading: https://stribika.github.io/2015/01/04/secure-secure-shell.html
https://patchwork.ipfire.org/patch/1732/
Sorry - was replying to the wrong bug. :-|
Sent in https://patchwork.ipfire.org/patch/1733/ Still to do: - specify cipher suite list - disabling password authentication is not fully applied - disable forwarding (people should use VPN or firewall rules instead) -> disable port forwarding via SSH, too (highly dangerous) - close inactive SSH sessions? (proposal: after 10 minutes idle) - display active sessions in the WebUI - unset password authentication as default in WebUI? - smaller formatting issue of keys in WebUI - remote login as root is ugly - change "ListenAddress"? (never listen on RED or ORANGE) - make sure Guardian catches all necessary openssh log entries Patch for better cryptography settings is currently in development.
(In reply to Peter Müller from comment #5) > - disable forwarding (people should use VPN or firewall rules instead) > -> disable port forwarding via SSH, too (highly dangerous) This is not dangerous?! > - close inactive SSH sessions? (proposal: after 10 minutes idle) Very strongly against this. We have this on the actual console and it is a horrible feature. > - unset password authentication as default in WebUI? This is the default way people log in to the system. Also the only way until a key is installed. Therefore this should be default. > - remote login as root is ugly This is for debugging the system and development. A production system should not have SSH enabled. > - change "ListenAddress"? (never listen on RED or ORANGE) How would it be possible to allow SSH-in from those networks then?
This is not an umbrella bug since there are no tickets depending on this.
(In reply to Michael Tremer from comment #7) > This is not an umbrella bug since there are no tickets depending on this. You were right, I now introduced some bugs to split this topic up a bit. Added the "umbrella" tag again, if you don't mind...
Yes, that's alright :)
https://patchwork.ipfire.org/patch/1895/
Setting to ON_QA since changes are merged upstream and will be rolled out with next Core Update.