125 lines
3.9 KiB
Diff
125 lines
3.9 KiB
Diff
From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
|
|
From: Andy Ning <andy.ning@windriver.com>
|
|
Date: Fri, 23 Mar 2018 14:46:06 -0400
|
|
Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
|
|
|
|
The patch hardened ssh server and client security, specifically
|
|
removed support of sha1 base kex algrorithms as found by Nessus
|
|
scan.
|
|
---
|
|
ssh_config | 3 +++
|
|
sshd_config | 45 +++++++++++++++++++++++++++------------------
|
|
2 files changed, 30 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/ssh_config b/ssh_config
|
|
index d1c83ea..3320eb0 100644
|
|
--- a/ssh_config
|
|
+++ b/ssh_config
|
|
@@ -66,3 +66,6 @@ Host *
|
|
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
SendEnv XMODIFIERS
|
|
+
|
|
+# Filtered key exchange algorithm list
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
|
diff --git a/sshd_config b/sshd_config
|
|
index 6bbb86b..7fb2ac7 100644
|
|
--- a/sshd_config
|
|
+++ b/sshd_config
|
|
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
# Ciphers and keying
|
|
-#RekeyLimit default none
|
|
+RekeyLimit default 1h
|
|
|
|
# Logging
|
|
#SyslogFacility AUTH
|
|
-SyslogFacility AUTHPRIV
|
|
-#LogLevel INFO
|
|
+#SyslogFacility AUTHPRIV
|
|
+LogLevel INFO
|
|
|
|
# Authentication:
|
|
|
|
-#LoginGraceTime 2m
|
|
-#PermitRootLogin yes
|
|
+LoginGraceTime 1m
|
|
+PermitRootLogin no
|
|
#StrictModes yes
|
|
-#MaxAuthTries 6
|
|
+MaxAuthTries 4
|
|
#MaxSessions 10
|
|
|
|
#PubkeyAuthentication yes
|
|
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
|
|
#KerberosUseKuserok yes
|
|
|
|
# GSSAPI options
|
|
-GSSAPIAuthentication yes
|
|
-GSSAPICleanupCredentials no
|
|
+GSSAPIAuthentication no
|
|
+GSSAPICleanupCredentials yes
|
|
#GSSAPIStrictAcceptorCheck yes
|
|
#GSSAPIKeyExchange no
|
|
#GSSAPIEnablek5users no
|
|
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
|
|
# problems.
|
|
UsePAM yes
|
|
|
|
-#AllowAgentForwarding yes
|
|
-#AllowTcpForwarding yes
|
|
+AllowAgentForwarding no
|
|
+AllowTcpForwarding no
|
|
#GatewayPorts no
|
|
-X11Forwarding yes
|
|
+X11Forwarding no
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
@@ -106,21 +106,22 @@ X11Forwarding yes
|
|
#PrintLastLog yes
|
|
#TCPKeepAlive yes
|
|
#UseLogin no
|
|
-#UsePrivilegeSeparation sandbox
|
|
+UsePrivilegeSeparation yes
|
|
#PermitUserEnvironment no
|
|
-#Compression delayed
|
|
-#ClientAliveInterval 0
|
|
-#ClientAliveCountMax 3
|
|
+Compression no
|
|
+ClientAliveInterval 15
|
|
+ClientAliveCountMax 4
|
|
#ShowPatchLevel no
|
|
-#UseDNS yes
|
|
+# Make SSH connect faster on bootup
|
|
+UseDNS no
|
|
#PidFile /var/run/sshd.pid
|
|
#MaxStartups 10:30:100
|
|
#PermitTunnel no
|
|
#ChrootDirectory none
|
|
#VersionAddendum none
|
|
|
|
-# no default banner path
|
|
-#Banner none
|
|
+# default banner path
|
|
+Banner /etc/issue.net
|
|
|
|
# Accept locale-related environment variables
|
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server
|
|
# AllowTcpForwarding no
|
|
# PermitTTY no
|
|
# ForceCommand cvs server
|
|
+DenyUsers admin secadmin operator
|
|
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
|
|
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
|
|
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
|
|
+# using "-" should be used for cipher, MAC and kex excluded suites.
|
|
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
|
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
|
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
|
--
|
|
1.8.3.1
|
|
|