From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001 From: Andy Ning Date: Fri, 23 Mar 2018 14:46:06 -0400 Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms The patch hardened ssh server and client security, specifically removed support of sha1 base kex algrorithms as found by Nessus scan. --- ssh_config | 3 +++ sshd_config | 45 +++++++++++++++++++++++++++------------------ 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/ssh_config b/ssh_config index d1c83ea..3320eb0 100644 --- a/ssh_config +++ b/ssh_config @@ -66,3 +66,6 @@ Host * SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS + +# Filtered key exchange algorithm list +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/sshd_config b/sshd_config index 6bbb86b..7fb2ac7 100644 --- a/sshd_config +++ b/sshd_config @@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying -#RekeyLimit default none +RekeyLimit default 1h # Logging #SyslogFacility AUTH -SyslogFacility AUTHPRIV -#LogLevel INFO +#SyslogFacility AUTHPRIV +LogLevel INFO # Authentication: -#LoginGraceTime 2m -#PermitRootLogin yes +LoginGraceTime 1m +PermitRootLogin no #StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 4 #MaxSessions 10 #PubkeyAuthentication yes @@ -76,8 +76,8 @@ ChallengeResponseAuthentication no #KerberosUseKuserok yes # GSSAPI options -GSSAPIAuthentication yes -GSSAPICleanupCredentials no +GSSAPIAuthentication no +GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no @@ -95,10 +95,10 @@ GSSAPICleanupCredentials no # problems. UsePAM yes -#AllowAgentForwarding yes -#AllowTcpForwarding yes +AllowAgentForwarding no +AllowTcpForwarding no #GatewayPorts no -X11Forwarding yes +X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes @@ -106,21 +106,22 @@ X11Forwarding yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation sandbox +UsePrivilegeSeparation yes #PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 #ShowPatchLevel no -#UseDNS yes +# Make SSH connect faster on bootup +UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none -# no default banner path -#Banner none +# default banner path +Banner /etc/issue.net # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server +DenyUsers admin secadmin operator +# Filtered cipher, MAC and key exchange algorithm list, defaults can be +# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex +# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list +# using "-" should be used for cipher, MAC and kex excluded suites. +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com +MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 -- 1.8.3.1