Refactor harden server and client config patch for openssh package

Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-12-08 00:48:10 +08:00 · 2018-12-08 00:48:10 +08:00 · 2730d2b38b
parent 4f3e626029
commit 2730d2b38b
6 changed files with 233 additions and 150 deletions
--- a/base/openssh-config/centos/openssh-config.spec
+++ b/base/openssh-config/centos/openssh-config.spec
@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
 %{__install} -d  %{buildroot}%{_sysconfdir}/systemd/system
 %{__install} -m 644 sshd.pam      %{buildroot}%{_datadir}/starlingx/sshd.pam
 %{__install} -m 644 sshd.service  %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
+%{__install} -m 644 ssh_config    %{buildroot}%{_datadir}/starlingx/ssh_config
+%{__install} -m 600 sshd_config   %{buildroot}%{_datadir}/starlingx/sshd_config

 %post
 %define _pamconfdir %{_sysconfdir}/pam.d
 if [ $1 -eq 1 ] ; then
        # Initial installation
-        cp -f %{_datadir}/starlingx/sshd.pam  %{_pamconfdir}/sshd
+        cp -f %{_datadir}/starlingx/sshd.pam    %{_pamconfdir}/sshd
+        cp -f %{_datadir}/starlingx/ssh_config  %{_sysconfdir}/ssh/ssh_config
+        cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
 fi

 %files
 %{_datadir}/starlingx/sshd.pam
 %{_sysconfdir}/systemd/system/sshd.service
+%{_datadir}/starlingx/ssh_config
+%{_datadir}/starlingx/sshd_config
--- a/base/openssh-config/files/ssh_config
+++ b/base/openssh-config/files/ssh_config
@ -0,0 +1,71 @@
+#       $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Protocol 2
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+#
+# Uncomment this if you want to use .local domain
+# Host *.local
+#   CheckHostIP no
+
+Host *
+        GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+        ForwardX11Trusted yes
+# Send locale-related environment variables
+        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+        SendEnv XMODIFIERS
+
+# Filtered key exchange algorithm list
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--- a/base/openssh-config/files/sshd_config
+++ b/base/openssh-config/files/sshd_config
@ -0,0 +1,148 @@
+#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+RekeyLimit default 1h
+
+# Logging
+#SyslogFacility AUTH
+#SyslogFacility AUTHPRIV
+LogLevel INFO
+
+# Authentication:
+
+LoginGraceTime 1m
+PermitRootLogin no
+#StrictModes yes
+MaxAuthTries 4
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile     .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+Compression no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+#ShowPatchLevel no
+# Make SSH connect faster on bootup
+UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# default banner path
+Banner /etc/issue.net
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem       sftp    /usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+DenyUsers admin secadmin operator
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
+# using "-" should be used for cipher, MAC and kex excluded suites.
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
--- a/base/openssh/centos/build_srpm.data
+++ b/base/openssh/centos/build_srpm.data
@ -1 +1 @@
-TIS_PATCH_VER=9
+TIS_PATCH_VER=10
--- a/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch
+++ b/base/openssh/centos/meta_patches/spec-include-TiS-changes.patch
@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch

 Signed-off-by: zhipengl <zhipengs.liu@intel.com>
 ---
- SPECS/openssh.spec | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
+ SPECS/openssh.spec | 5 -----
+ 1 file changed, 5 deletions(-)

 diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
 index 0a91b56..bbae9d7 100644
 --- a/SPECS/openssh.spec
 +++ b/SPECS/openssh.spec
-@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
- Patch959: openssh-7.4p1-authorized_keys_command.patch
- # Fix for CVE-2017-15906 (#1517226)
- Patch960: openssh-7.5p1-sftp-empty-files.patch
-+# WRS: harden server and client config
-+Patch1000: harden-server-and-client-config.patch
- 
- License: BSD
- Group: Applications/Internet
-@@ -510,6 +512,8 @@ popd
- %patch700 -p1 -b .fips
- 
- %patch100 -p1 -b .coverity
-+# WRS
-+%patch1000 -p1 -b .harden
- 
- %if 0
- # Nothing here yet
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
 %preun server
 %systemd_preun sshd.service sshd.socket
- 
+
 -%postun server
 -%systemd_postun_with_restart sshd.service
 -
@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
- 
+
 -%files server-sysvinit
 -%defattr(-,root,root)
 %attr(0755,root,root) /etc/rc.d/init.d/sshd
 %endif
- 
-- 
+
+--
 1.8.3.1

--- a/base/openssh/centos/patches/harden-server-and-client-config.patch
+++ b/base/openssh/centos/patches/harden-server-and-client-config.patch
@ -1,124 +0,0 @@
-From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
-From: Andy Ning <andy.ning@windriver.com>
-Date: Fri, 23 Mar 2018 14:46:06 -0400
-Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
-
-The patch hardened ssh server and client security, specifically
-removed support of sha1 base kex algrorithms as found by Nessus
-scan.
---
- ssh_config  |  3 +++
- sshd_config | 45 +++++++++++++++++++++++++++------------------
- 2 files changed, 30 insertions(+), 18 deletions(-)
-
-diff --git a/ssh_config b/ssh_config
-index d1c83ea..3320eb0 100644
--- a/ssh_config
-+++ b/ssh_config
-@@ -66,3 +66,6 @@ Host *
- 	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- 	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
- 	SendEnv XMODIFIERS
-+
-+# Filtered key exchange algorithm list
-+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-diff --git a/sshd_config b/sshd_config
-index 6bbb86b..7fb2ac7 100644
--- a/sshd_config
-+++ b/sshd_config
-@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
- HostKey /etc/ssh/ssh_host_ed25519_key
- 
- # Ciphers and keying
-#RekeyLimit default none
-+RekeyLimit default 1h
- 
- # Logging
- #SyslogFacility AUTH
-SyslogFacility AUTHPRIV
-#LogLevel INFO
-+#SyslogFacility AUTHPRIV
-+LogLevel INFO
- 
- # Authentication:
- 
-#LoginGraceTime 2m
-#PermitRootLogin yes
-+LoginGraceTime 1m
-+PermitRootLogin no
- #StrictModes yes
-#MaxAuthTries 6
-+MaxAuthTries 4
- #MaxSessions 10
- 
- #PubkeyAuthentication yes
-@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
- #KerberosUseKuserok yes
- 
- # GSSAPI options
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
-+GSSAPIAuthentication no
-+GSSAPICleanupCredentials yes
- #GSSAPIStrictAcceptorCheck yes
- #GSSAPIKeyExchange no
- #GSSAPIEnablek5users no
-@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
- # problems.
- UsePAM yes
- 
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-+AllowAgentForwarding no
-+AllowTcpForwarding no
- #GatewayPorts no
-X11Forwarding yes
-+X11Forwarding no
- #X11DisplayOffset 10
- #X11UseLocalhost yes
- #PermitTTY yes
-@@ -106,21 +106,22 @@ X11Forwarding yes
- #PrintLastLog yes
- #TCPKeepAlive yes
- #UseLogin no
-#UsePrivilegeSeparation sandbox
-+UsePrivilegeSeparation yes
- #PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-+Compression no
-+ClientAliveInterval 15
-+ClientAliveCountMax 4
- #ShowPatchLevel no
-#UseDNS yes
-+# Make SSH connect faster on bootup
-+UseDNS no
- #PidFile /var/run/sshd.pid
- #MaxStartups 10:30:100
- #PermitTunnel no
- #ChrootDirectory none
- #VersionAddendum none
- 
-# no default banner path
-#Banner none
-+# default banner path
-+Banner /etc/issue.net
- 
- # Accept locale-related environment variables
- AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-@@ -137,3 +138,11 @@ Subsystem	sftp	/usr/libexec/sftp-server
- #	AllowTcpForwarding no
- #	PermitTTY no
- #	ForceCommand cvs server
-+DenyUsers admin secadmin operator
-+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
-+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
-+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
-+# using "-" should be used for cipher, MAC and kex excluded suites.
-+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
-+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
-+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-- 
-1.8.3.1
-