32
edits
Security/Guidelines/OpenSSH: Difference between revisions
Automated sync from https://github.com/mozilla/wikimo_opsec
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_opsec) |
(Automated sync from https://github.com/mozilla/wikimo_opsec) |
||
| Line 58: | Line 58: | ||
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | ||
LogLevel VERBOSE | LogLevel VERBOSE | ||
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |||
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO | |||
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: | # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: | ||
| Line 96: | Line 99: | ||
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | ||
LogLevel VERBOSE | LogLevel VERBOSE | ||
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |||
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO | |||
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: | # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: | ||
| Line 118: | Line 124: | ||
|} | |} | ||
==== OpenSSH 6.3+ (default) ==== | |||
File: <code>/etc/ssh/sshd_config</code> | |||
<source> | |||
# IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd | |||
# "PasswordAuthentication no" is not sufficient! | |||
PubkeyAuthentication yes | |||
PasswordAuthentication no | |||
AuthenticationMethods publickey,keyboard-interactive:pam | |||
KbdInteractiveAuthentication yes | |||
UsePAM yes | |||
# Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd. | |||
UseLogin no | |||
</source> | |||
==== OpenSSH 5.3+ w/ RedHat/CentOS patch (old) ==== | |||
File: <code>/etc/ssh/sshd_config</code> | File: <code>/etc/ssh/sshd_config</code> | ||
<source> | <source> | ||
| Line 126: | Line 147: | ||
PasswordAuthentication no | PasswordAuthentication no | ||
ChallengeResponseAuthentication yes | ChallengeResponseAuthentication yes | ||
UsePAM yes | |||
# Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd. | # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd. | ||
UseLogin no | UseLogin no | ||
</source> | </source> | ||
PAM configuration for use with the [ | PAM configuration for use with the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com DuoSecurity] as second authentication factor. | ||
File: <code>/etc/pam.d/sshd</code> | File: <code>/etc/pam.d/sshd</code> | ||
| Line 153: | Line 175: | ||
* When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker. Only recent OpenSSH servers and client support CHACHA20. | * When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker. Only recent OpenSSH servers and client support CHACHA20. | ||
* NIST curves (<code>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</code>) are listed for compatibility, but the use of <code>curve25519</code> is [ | * NIST curves (<code>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</code>) are listed for compatibility, but the use of <code>curve25519</code> is [https://safecurves.cr.yp.to/ generally preferred]. | ||
* SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy]. | * SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy]. | ||
| Line 215: | Line 237: | ||
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. | # ED25519 keys are favored over RSA keys when backward compatibility ''is not required''. | ||
# This is only compatible with OpenSSH 6. | # This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes). | ||
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz" | $ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz" | ||
</source> | </source> | ||
| Line 230: | Line 252: | ||
* Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | * Usage of machine keys should be registered in an inventory (a wiki page, ldap, an inventory database), to allow for rapid auditing of key usage across an infrastructure. | ||
* The machine keys should be unique per usage. Each new usage (different service, different script called, etc.) should use a new, different key. | * The machine keys should be unique per usage. Each new usage (different service, different script called, etc.) should use a new, different key. | ||
* Only used when strictly necessary. | |||
* Restrict privileges of the account (i.e. no root or "sudoer" machine account). | |||
* Using a ForceCommand returning only the needed results, or only allowing the machine to perform SSH-related tasks such as tunneling is prefered. | |||
* Disable sftp if not needed as it exposes more surface and different logging mechanisms than SSH (and thus scp) itself. | |||
File: <code>/etc/ssh/sshd_config</code> | |||
<source> | |||
Match User machine_user | |||
Subsystem sftp /bin/false | |||
</source> | |||
==== Multi-factor bypass setup for machine keys ==== | |||
Machine keys do not play well with multi-factor authentication as there is no human interaction. | |||
* All logins from machine accounts should be protected by an additional authentication layer (VPN, another machine, etc.). | |||
* All logins from machine accounts are only allowed within the private IP-space, and if possible, only the relevant machine source IPs should be accessible. | |||
File: <code>/etc/ssh/sshd_config</code> (OpenSSH 6.3+) | |||
<source> | |||
Match User machine_user Address 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 | |||
PubkeyAuthentication yes | |||
KbdInteractiveAuthentication no | |||
AuthenticationMethods publickey | |||
</source> | |||
File: <code>/etc/ssh/sshd_config</code> (OpenSSH 5.3+ w/ RedHat/CentOS patch) | |||
<source> | |||
Match User machine_user Address 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 | |||
RequiredAuthentications2 publickey | |||
</source> | |||
=== Auditing your existing SSH keys === | === Auditing your existing SSH keys === | ||
| Line 358: | Line 410: | ||
* [https://wiki.mozilla.org/Security/Key_Management Key Management] | * [https://wiki.mozilla.org/Security/Key_Management Key Management] | ||
* [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS] | * [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS] | ||
* [ | * [https://www.ietf.org/rfc/rfc4418.txt RFC4418 (umac)] | ||
* [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft] | * [http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt umac draft] | ||
* [ | * [https://safecurves.cr.yp.to/ Safe curves] | ||
* [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog] | * [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html DJM blog] | ||
* [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog] | * [https://stribika.github.io/2015/01/04/secure-secure-shell.html Stribika blog] | ||
* [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study] | * [http://2013.diac.cr.yp.to/slides/gueron.pdf AES-GCM performance study] | ||
* [ | * [https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html CHACHA20 vs AES-GCM performance study] | ||
* [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys] | * [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain PROTOCOL.certkeys] | ||
* [ | * [https://wiki.gnupg.org/rfc4880bis rfc44880bis from GnuPG] | ||