From b91d206f5612956315592ee8335379915cba2b24 Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Thu, 22 Mar 2018 10:53:33 -0400 Subject: [PATCH] Remove sha1 based kex algorithms This patch hardened server configuration including removing sha1 based kex algorithms from the manifest template that puppet uses to generate the configuration file sshd_config. It also removed hardcoded sshd_config and ssh_config from repo, replaced them with patches to openssh that harden both server and client configuration. This is particularly to address the requirements that the system should be hardened from the very first boot up (before it is configured by manifest apply) It also removed old obsolete patch files in openssh directory to avoid confusions. Change-Id: Ic34bebfd88f46cade3596d920a00311f9aa5980f Signed-off-by: Andy Ning --- .../puppet-sshd/src/sshd/templates/sshd_config.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb b/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb index d3b0ee374e..19177eac11 100644 --- a/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb +++ b/puppet-modules-wrs/puppet-sshd/src/sshd/templates/sshd_config.erb @@ -123,9 +123,13 @@ Subsystem sftp /usr/libexec/openssh/sftp-server # AllowTcpForwarding no # ForceCommand cvs server DenyUsers admin secadmin operator -# Filtered cipher and MAC list, defaults can be obtained by ssh -Q cipher and ssh -Q mac +# Filtered cipher, MAC and key exchange algorithm list, defaults can be +# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex +# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list +# using "-" should be used for cipher, MAC and kex excluded suites. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 # This Match block prevents Password Authentication for root user Match User root