-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH hardening, removing outdated ciphers, kex algorithms, etc #3975
Comments
The service responsible for writing the configuration file is
Unfortunately this is still legacy code and doesn't support overlays, but if you can collect a list of options that should be changed in your opinion together with the current default and desired options, we can take a look if we can turn this ticket in a feature request and schedule it. We would like to avoid breaking existing setups, so most options likely need to be selectable from here core/src/www/system_advanced_admin.php Line 638 in e4393e0
|
Generally, I'd like to have access to these three properties of the sshd_config file:
For me, the desired state would be to set these to for something like this, copying from a fairly hardened config:
The above still has two actionable recommendations in the ssh-audit tool's report but it's much much better than the current default. It would also definitely break older ssh clients, this is why I'd let the user to edit these lines on their own as part of an advanced configuration block. |
we don't support advanced configuration blocks, unless the service supports include directories and the user can drop its modifications in a file on disk. Free text fields are impossible to validate and sooner or later turn into various security issues impossible to fix. If we can come up with a list of options to add, we might consider adding them. The above list certainly helps in that regard. |
Fair enough, I can completely see your point why a text input is not a good solution on the long run. Then I can imagine a checkbox field where the user can select their chosen kex, cipher and mac algorithms from a predefined lists what the currently used SSH server supports. There could be a "Reset to default" button to load the current OPNsense defaults that are considered to be the most compatible options. Upon clicking the button, it puts or removes the ticks to all the checkboxes in the field according to the defaults it ships with. The user can then modify the selection according to their liking, and this is used on save to generate these three options in the SSH server config. Getting what kex, cipher and macs the currently installed SSH supports: https://superuser.com/questions/868998/how-can-i-find-a-list-of-macs-ciphers-and-kexalgorithms-that-my-openssh-client/869005#869005 These lists could provide the values to the checkbox field. Furthermore, the audit tool is just one Python file, maybe it's possible to integrate it to self-test the configuration. Like the heath test under the firmware menu to give feedback on the settings currently set up. Running like For the current OPNsense release, the tool says the following:
If I had the chance, I'd at least untick the checkboxes from the default config according to the "algorithm recommendations" part, as I only use up-to-date OpenSSH clients. |
The options should be good to add indeed, we don't change any of these defaults currently, so it shouldn't be a huge problem to add them. A test tool is not something we consider for core, if someone wants to build a plugin that's fine, but out of our scope. |
5df590c should do the trick, install on the latest OPNsense (20.1.2) using:
|
Wow, this was fast, and it's fantastic! Now, the ssh-audit reports are almost fine. Just two remarks:
The generated file's bottom part for reference (
|
I think we had this question before, so I though to take a look now, but if the current state isn't useful enough, we might need to revert and see if someone else want to spend time on this.
|
For the 1st point: @jtesta might see this thread, he is the maintainer of the mentioned ssh-audit tool, and has a far greater knowledge about SSH internals than me.
As for the 2nd point, it's great news, so the disabled host key file could be renamed to something else, and the loop continues. When enabling, just rename it back (e.g., |
@immanuelfodor No need to rename, only stop including when not needed, however we do need to determine the logic/mapping between kex algo and hostkey, you can probably help out there. |
The best thing about mapping the algo and the host key is that if the user doesn't include any algo that can be used with the host key, SSH seems to include at least one, so the user won't lock itself out. This happened above when I couldn't get rid of With only curve25519 selected on the web interface: Aaaand it seems I was wrong above, it was not in the kex algo list but the host key algo, and that is not adjustable by the user at all, completely depends on the loaded host key files. 🎉 So no mapping is needed at all. |
Well, after further digging, it seems there is a separate config key entry that I didn't know of, And here I could turn off the outdated ssh-rsa algo to comply with the ssh-audit tool by not listing it as my preferred algo. This could be added as the final fourth checkbox field that is in paralel with the four blocks of the ssh-audit output:
I wonder, if the ECDSA and GSA host keys are loaded but no algo is preferred for them, what would happen. I'd be happy if it just wouldn't show up anymore, so the preferred list would be for me:
This way we wouldn't need to mess with the file loading. Could you please provide a patch for the fourth checkbox field? |
ok, so long story short, you also would like to add the key selection, which glues to the key generation (last part I'll have to check) |
Yes, it just took me some thinking while writing, sorry 😃 |
that's no problem, just making sure we mean the same here :) I'll see if I can add the key selection, ordering isn't something I'm planing to solve. Can wee agree to close this after key is in? |
Yes, we are done here after that, the ordering doesn't matter if I pick my favourite supported algos and only one or two from each of that. The upmost hardened config is the best tradeoff between security and support but it can be hardened further where the order doesn't matter at the end. It's great to have these checkboxes available on the web, that's what matter the most. |
@immanuelfodor ok, I think this 1165119 should be it than (looking at |
Perfect, works as expected, now my audit is completely green, thanks! You can close it now if you wish. |
(cherry picked from commit 1165119)
Hi Everyone,
There is a forum post from somebody else recommending opening an issue for ssh hardening but there are no issues to be found after searching, so here is mine.
I'd like to harden my ssh connection on the OPNsense server side, how can I do that, which config files to edit to persist the change?
Would like to implement the recommendations provided by this tool: https://github.com/jtesta/ssh-audit.git
The text was updated successfully, but these errors were encountered: