Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use more secure sshd defaults #744

Merged
merged 17 commits into from
Feb 12, 2017
Merged

Use more secure sshd defaults #744

merged 17 commits into from
Feb 12, 2017

Conversation

fullyint
Copy link
Contributor

Background

A discourse thread prompted #561, a call to create more secure sshd defaults. @RiFi2k implemented these improvements in #702 in a ssh-hardening branch that @fullyint augmented and PR-ed to master in #716. Discussion in #716 determined that we should further modify our adaptation of the dev-sec/ansible-ssh-hardening role to match Trellis coding conventions. Many thanks to @RiFi2k and @swalkinshaw for their work preparing these modifications.

In the end, whittling and modifying the dev-sec role ended up being more work and code change than if we'd simply adjusted our existing sshd role. In addition, the final modification of the dev-sec role still struck me as somewhat inorganic to the rest of Trellis (example of nearly final modification here).

This PR

This PR starts over with just our original sshd role, eliminates parts we don't need, then adds the minimum needed to achieve great security and excellent README guidance for users. It strikes me as more streamlined and suitable than #716.

This PR takes one logical step per commit, for easier review. Commits could be squashed on merge.

Sorry @RiFi2k that this didn't directly use and credit all your incredible work. I hope it's ok that I cherry-picked and added your "Remove insecure lines from moduli file" commit (with you as author).

Comparing with #716

Comments in #716 offered a diff of configs before vs. after #716. Here is how the final config of this PR differs from the final config of #716:

  # ssh_config
  # ---------------------

  # stribika recommends 'no'
- challengeresponseauthentication yes
+ challengeresponseauthentication no


  # sshd_config
  # ---------------------

  # we already have PasswordAuthentication no
  # keeping 'yes/no' avoids having to change name/handling of sshd_permit_root_login var
- permitrootlogin without-password
+ permitrootlogin yes

  # Applies to RhostsRSAAuthentication and HostbasedAuthentication which are both 'no'
  # cleaner to omit IgnoreUserKnownHosts option (system default is 'no')
- ignoreuserknownhosts yes
+ ignoreuserknownhosts no

  # KerberosAuthentication is 'no'
  # cleaner to omit KerberosAuthentication option (system default is 'yes')
- kerberosorlocalpasswd no
+ kerberosorlocalpasswd yes

  # LogLevel system default is 'INFO', which seems fine
  # cleaner to omit option
- loglevel VERBOSE
+ loglevel INFO

  # Users who want '-l INFO -f LOCAL6' can add it on their own
- subsystem sftp internal-sftp -l INFO -f LOCAL6
+ subsystem sftp internal-sftp

This was referenced Jan 30, 2017
Closed
Merged
@fullyint fullyint mentioned this pull request Feb 10, 2017
Merged
@swalkinshaw
Copy link
Member

This looks good to go. Needs changelog entry as well 👍

fullyint and others added 17 commits February 11, 2017 19:43
@fullyint
Remove outdated protocol 1 sshd params
f5c3213
@fullyint
Change existing sshd params to better defaults
d04cbe0
@fullyint
Omit sshd params whose system defaults few users will change
2471651
@fullyint
Alphabetize sshd params
ffb19ff
@fullyint
Treat repeatable sshd params as lists
1324477
@fullyint
Use more secure sshd host keys
b24f074
@fullyint
Use stronger ciphers with sshd
3404b0b
@fullyint
Use stronger kex algorithms with sshd
1e57586
@fullyint
Use stronger MACs with sshd
8d11b43
@fullyint
Use client alive messages instead of TCP keepalive messages
852f45c 
The TCP keepalive option enabled by TCPKeepAlive is spoofable.
@fullyint
Add additional helpful sshd params
217bbe5
@fullyint
Apply Trellis coding conventions to sshd role tasks
11ea96f
@fullyint
Create ssh_config as part of sshd role
b60d7c2
@fullyint
Enable template inheritance for sshd_config and ssh_config
69659b7
@RiFi2k
Remove insecure lines from moduli file
c0b001d
@fullyint
Validate compatible settings between SSH client and server
ec5c768
@fullyint
Update sshd role README
46fc62a
@fullyint fullyint merged commit c45da4e into master Feb 12, 2017
@fullyint
Copy link
Contributor Author

Major thanks to @RiFi2k and @swalkinshaw for a ton of work and review!

@fullyint fullyint deleted the sshd branch February 12, 2017 21:51
@fullyint fullyint mentioned this pull request Feb 12, 2017
Closed
2 tasks
@RiFi2k
Copy link
Contributor

RiFi2k commented Feb 14, 2017

@fullyint thanks to you for getting it where it needed to be, I know you put in some hours on this.

@fullyint fullyint mentioned this pull request Feb 17, 2017
Merged
@fullyint fullyint mentioned this pull request Mar 8, 2017
Closed
6 tasks
@fullyint fullyint mentioned this pull request Mar 24, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fullyint @swalkinshaw @RiFi2k