|
|
| (92 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
| Zeile 1: |
Zeile 1: |
| == Beschreibung ==
| | [[Kategorie:Kryptografie/Best Practice]] |
| == OpenSSH server ==
| |
| === Configuration ===
| |
| Different versions of OpenSSH support different options which are not always compatible.
| |
| * This guide shows settings for the most commonly deployed OpenSSH versions at Mozilla - however, using the latest version of OpenSSH is recommended.
| |
| | |
| ==== Modern (OpenSSH 6.7+) ====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
| | |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_ed25519_key
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
|
| |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
| |
| | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
| |
| | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
| |
| | |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| AuthenticationMethods publickey
| |
| | |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
| | |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
| | |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
| | |
| # Use kernel sandbox mechanisms where possible in unprivileged processes
| |
| # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
| |
| UsePrivilegeSeparation sandbox
| |
| | |
| File: <tt>/etc/ssh/moduli</tt>
| |
| | |
| All Diffie-Hellman moduli in use should be at least 3072-bit-long (they are used for <tt>diffie-hellman-group-exchange-sha256</tt>) as per our [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management] recommendations.
| |
| * See also <tt>man moduli</tt>.
| |
| | |
| To deactivate short moduli in two commands: <tt>awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
| | |
| ==== Intermediate (OpenSSH 5.3) ====
| |
| This is mainly for use by RHEL6, CentOS6, etc.
| |
| * which run older versions of OpenSSH.
| |
| | |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
| | |
| # Supported HostKey algorithms by order of preference.
| |
| HostKey /etc/ssh/ssh_host_rsa_key
| |
| HostKey /etc/ssh/ssh_host_ecdsa_key
| |
| | |
| KexAlgorithms diffie-hellman-group-exchange-sha256
| |
| MACs hmac-sha2-512,hmac-sha2-256
| |
| Ciphers aes256-ctr,aes192-ctr,aes128-ctr
| |
| | |
| # Password based logins are disabled - only public key based logins are allowed.
| |
| RequiredAuthentications2 publickey
| |
| | |
| # RequiredAuthentications2 not work on official OpenSSH 5.3 portable.
| |
| # In this is your case, use this instead:
| |
| #PubkeyAuthentication yes
| |
| #PasswordAuthentication no
| |
| | |
| # LogLevel VERBOSE logs user's key fingerprint on login.
| |
| * Needed to have a clear audit track of which key was using to log in.
| |
| LogLevel VERBOSE
| |
| | |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
| |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
| |
| | |
| # Root login is not allowed for auditing reasons.
| |
| * This is because it's difficult to track which process belongs to which root user:
| |
| #
| |
| # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
| |
| # Additionally, only tools such as systemd and auditd record the process session id.
| |
| # On other OSes, the user session id is not necessarily recorded at all kernel-side.
| |
| # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
| |
| PermitRootLogin No
| |
| | |
| File: <tt>/etc/ssh/moduli</tt>
| |
| | |
| All Diffie-Hellman moduli in use should be at least 2048-bit-long.
| |
| * From the structure of <tt>moduli</tt> files, this means the fifth field of all lines in this file should be greater than or equal to 2047.
| |
| | |
| To deactivate weak moduli in two commands: <tt>awk '$5 >= 2047' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli</tt>
| |
| | |
| ==== Multi-Factor Authentication (OpenSSH 6.3+) ====
| |
| Recent versions of OpenSSH support MFA (Multi-Factor Authentication).
| |
| * Using MFA is recommended where possible.
| |
| | |
| It requires additional setup, such as using the [http://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity].
| |
| | |
| {|| class="wikitable sortable"
| |
| |-
| |
| || <span >'''ATTENTION</span> '''
| |
| |-
| |
| || In order to allow using one time passwords (OTPs) and any other text input, Keyboard-interactive is enabled in OpenSSH.
| |
| * This ''MAY'' allow for password authentication to work.
| |
| * It is therefore very important to check your PAM configuration so that PAM disallow password authentication for OpenSSH.
| |
| | |
| |-
| |
| |}
| |
| | |
| ===== OpenSSH 6.3+ (default) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
| | |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| PubkeyAuthentication yes
| |
| PasswordAuthentication no
| |
| AuthenticationMethods publickey,keyboard-interactive:pam
| |
| KbdInteractiveAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
| | |
| ===== OpenSSH 5.3+ w/ RedHat/CentOS patch (old) =====
| |
| File: <tt>/etc/ssh/sshd_config</tt>
| |
| | |
| # Allow keyboard-interactive.
| |
| # IMPORTANT: you will have to ensure OpenSSH cannot authenticate with passwords with PAM in /etc/pam.d/sshd
| |
| # "PasswordAuthentication no" is not sufficient!
| |
| RequiredAuthentications2 publickey,keyboard-interactive:skey
| |
| PasswordAuthentication no
| |
| ChallengeResponseAuthentication yes
| |
| UsePAM yes
| |
| # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd.
| |
| UseLogin no
| |
|
| |
| PAM configuration for use with the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] or [https://www.duosecurity.com/ DuoSecurity] as second authentication factor.
| |
| | |
| File: <tt>/etc/pam.d/sshd</tt>
| |
| | |
| #%PAM-1.0
| |
| auth required pam_sepermit.so
| |
|
| |
| # WARNING: make sure any password authentication module is disabled.
| |
| # Example: pam_unix.so, or "password-auth", "system-auth", etc.
| |
| #auth include password-auth
| |
|
| |
| # Options to enable when using OATH toolkit
| |
| #auth requisite pam_oath.so usersfile=/etc/users.oath digits=6 window=20
| |
|
| |
| # Options to enable when using DuoSecurity
| |
| #auth sufficient /lib64/security/pam_duo.so
| |
|
| |
| account required pam_nologin.so
| |
| | |
| === Ciphers and algorithms choice ===
| |
| * When CHACHA20 (OpenSSH 6.5+) is not available, AES-GCM (OpenSSH 6.1+) and any other algorithm using EtM (Encrypt then MAC) [http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html disclose the packet length] - giving some information to the attacker.
| |
| * Only recent OpenSSH servers and client support CHACHA20.
| |
| | |
| * NIST curves (<tt>ecdh-sha2-nistp512,ecdh-sha2-nistp384,ecdh-sha2-nistp256</tt>) are listed for compatibility, but the use of <tt>curve25519</tt> is [https://safecurves.cr.yp.to/ generally preferred].
| |
| | |
| * SSH protocol 2 supports [https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange DH] and [https://en.wikipedia.org/wiki/Elliptic_curve_Diffie–Hellman ECDH] key-exchange as well as [https://en.wikipedia.org/wiki/Forward_secrecy forward secrecy].
| |
| * Regarding group sizes, please refer to [https://wiki.mozilla.org/Security/Guidelines/Key_Management Security/Guidelines/Key_Management].
| |
| | |
| The various algorithms supported by a particular OpenSSH version can be listed with the following commands:
| |
| $ ssh -Q cipher
| |
| $ ssh -Q cipher-auth
| |
| $ ssh -Q mac
| |
| $ ssh -Q kex
| |
| $ ssh -Q key
| |
| [[Kategorie:SSH]] | | [[Kategorie:SSH]] |
| [[Kategorie:Kryptografie]]
| |