diff --git a/connectivity/openssh/centos/build_srpm.data b/connectivity/openssh/centos/build_srpm.data index b24625715..c428b1f1d 100644 --- a/connectivity/openssh/centos/build_srpm.data +++ b/connectivity/openssh/centos/build_srpm.data @@ -1,2 +1 @@ -COPY_LIST="$FILES_BASE/*" -TIS_PATCH_VER=8 +TIS_PATCH_VER=9 diff --git a/connectivity/openssh/centos/files/ssh_config b/connectivity/openssh/centos/files/ssh_config deleted file mode 100644 index b21f26311..000000000 --- a/connectivity/openssh/centos/files/ssh_config +++ /dev/null @@ -1,48 +0,0 @@ -# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -Host * - ForwardAgent yes - ForwardX11 yes -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -UseRoaming no diff --git a/connectivity/openssh/centos/files/sshd_config b/connectivity/openssh/centos/files/sshd_config deleted file mode 100644 index a0fa9fbc0..000000000 --- a/connectivity/openssh/centos/files/sshd_config +++ /dev/null @@ -1,129 +0,0 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -LogLevel INFO - -# Authentication: - -LoginGraceTime 1m -PermitRootLogin without-password -#StrictModes yes -MaxAuthTries 4 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -PermitEmptyPasswords no - -# Change to no to disable s/key passwords -ChallengeResponseAuthentication no - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -AllowAgentForwarding no -AllowTcpForwarding no -#GatewayPorts no -X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -UsePrivilegeSeparation yes -PermitUserEnvironment no -Compression no -ClientAliveInterval 15 -ClientAliveCountMax 4 -# Make SSH connect faster on bootup -UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# default banner path -Banner /etc/issue.net - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server -DenyUsers admin secadmin operator -# Filtered cipher, MAC and key exchange algorithm list, defaults can be -# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex -# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list -# using "-" should be used for cipher, MAC and kex excluded suites. -Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com -MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/connectivity/openssh/centos/meta_patches/PATCH_ORDER b/connectivity/openssh/centos/meta_patches/PATCH_ORDER index 2add864ec..4b4e860e3 100644 --- a/connectivity/openssh/centos/meta_patches/PATCH_ORDER +++ b/connectivity/openssh/centos/meta_patches/PATCH_ORDER @@ -5,3 +5,5 @@ openssh-spec-file-add-init.patch 0001-Update-package-versioning-for-TIS-format.patch openssh-init-script-kill-old-instances-on-start.patch 0001-Further-parallelize-openssh-build.patch +spec-remove-TC-config-files.patch +spec-harden-server-and-client-config.patch diff --git a/connectivity/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch b/connectivity/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch new file mode 100644 index 000000000..506c47d09 --- /dev/null +++ b/connectivity/openssh/centos/meta_patches/spec-harden-server-and-client-config.patch @@ -0,0 +1,40 @@ +From 099d1c1f3376673e9a3c5747c87c8c756c883ce6 Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Thu, 22 Mar 2018 11:45:26 -0400 +Subject: [PATCH 1/1] CGTS-9265: patch to harden server and client config + +Replace the hardcoded sshd_config and ssh_config files with patches +to openssh. + +Signed-off-by: Andy Ning +--- + SPECS/openssh.spec | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec +index 7ee5bd8..7c464a2 100644 +--- a/SPECS/openssh.spec ++++ b/SPECS/openssh.spec +@@ -240,6 +240,9 @@ Patch955: openssh-7.4p1-sandbox-ibmca.patch + # Back to UseDNS=yes by default (#1478175) + Patch956: openssh-7.4p1-usedns-yes.patch + ++# WRS: harden server and client config ++Patch1000: harden-server-and-client-config.patch ++ + License: BSD + Group: Applications/Internet + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +@@ -494,6 +497,9 @@ popd + + %patch100 -p1 -b .coverity + ++# WRS ++%patch1000 -p1 -b .harden ++ + %if 0 + # Nothing here yet + %endif +-- +1.8.3.1 + diff --git a/connectivity/openssh/centos/meta_patches/spec-remove-TC-config-files.patch b/connectivity/openssh/centos/meta_patches/spec-remove-TC-config-files.patch new file mode 100644 index 000000000..a8148be5c --- /dev/null +++ b/connectivity/openssh/centos/meta_patches/spec-remove-TC-config-files.patch @@ -0,0 +1,40 @@ +From a0a4b7c9e1cdc4d77c2e6aa61d74e3898aca86a5 Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Tue, 20 Mar 2018 10:14:56 -0400 +Subject: [PATCH 1/1] CGTS-9265: remove TC specific config files + +The hardcoded sshd_config and ssh_config files are replaced by +patches to openssh. +--- + SPECS/openssh.spec | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec +index 72ec438..7ee5bd8 100644 +--- a/SPECS/openssh.spec ++++ b/SPECS/openssh.spec +@@ -88,10 +88,6 @@ Source11: sshd.service + Source12: sshd-keygen.service + Source13: sshd-keygen + +-# WRS +-Source14: sshd_config +-Source15: ssh_config +- + # Internal debug + Patch0: openssh-5.9p1-wIm.patch + +@@ -689,10 +685,6 @@ make install DESTDIR=$RPM_BUILD_ROOT + popd + %endif + +-# WRS: Overwrite with our config +-install -m 0640 %{SOURCE14} $RPM_BUILD_ROOT/etc/ssh/sshd_config +-install -m 0644 %{SOURCE15} $RPM_BUILD_ROOT/etc/ssh/ssh_config +- + %clean + rm -rf $RPM_BUILD_ROOT + +-- +1.8.3.1 + diff --git a/connectivity/openssh/centos/patches/harden-server-and-client-config.patch b/connectivity/openssh/centos/patches/harden-server-and-client-config.patch new file mode 100644 index 000000000..a5899f238 --- /dev/null +++ b/connectivity/openssh/centos/patches/harden-server-and-client-config.patch @@ -0,0 +1,133 @@ +From 5f272d70827454c71a650018786c444116927348 Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Thu, 22 Mar 2018 10:16:08 -0400 +Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms + +The patch hardened ssh server and client security, specifically +removed support of sha1 base kex algrorithms as found by Nessus +scan. +--- + ssh_config | 3 +++ + sshd_config | 47 ++++++++++++++++++++++++++++------------------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/ssh_config b/ssh_config +index d1c83ea..3320eb0 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -66,3 +66,6 @@ Host * + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS ++ ++# Filtered key exchange algorithm list ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +diff --git a/sshd_config b/sshd_config +index 6bbb86b..122dee3 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key + HostKey /etc/ssh/ssh_host_ed25519_key + + # Ciphers and keying +-#RekeyLimit default none ++RekeyLimit default 1h + + # Logging + #SyslogFacility AUTH +-SyslogFacility AUTHPRIV +-#LogLevel INFO ++#SyslogFacility AUTHPRIV ++LogLevel INFO + + # Authentication: + +-#LoginGraceTime 2m +-#PermitRootLogin yes ++LoginGraceTime 1m ++PermitRootLogin no + #StrictModes yes +-#MaxAuthTries 6 ++MaxAuthTries 4 + #MaxSessions 10 + + #PubkeyAuthentication yes +@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no + #KerberosUseKuserok yes + + # GSSAPI options +-GSSAPIAuthentication yes +-GSSAPICleanupCredentials no ++GSSAPIAuthentication no ++GSSAPICleanupCredentials yes + #GSSAPIStrictAcceptorCheck yes + #GSSAPIKeyExchange no + #GSSAPIEnablek5users no +@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no + # problems. + UsePAM yes + +-#AllowAgentForwarding yes +-#AllowTcpForwarding yes ++AllowAgentForwarding no ++AllowTcpForwarding no + #GatewayPorts no +-X11Forwarding yes ++X11Forwarding no + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +@@ -106,21 +106,22 @@ X11Forwarding yes + #PrintLastLog yes + #TCPKeepAlive yes + #UseLogin no +-#UsePrivilegeSeparation sandbox ++UsePrivilegeSeparation yes + #PermitUserEnvironment no +-#Compression delayed +-#ClientAliveInterval 0 +-#ClientAliveCountMax 3 ++Compression no ++ClientAliveInterval 15 ++ClientAliveCountMax 4 + #ShowPatchLevel no +-#UseDNS yes ++# Make SSH connect faster on bootup ++UseDNS no + #PidFile /var/run/sshd.pid + #MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none + #VersionAddendum none + +-# no default banner path +-#Banner none ++# default banner path ++Banner /etc/issue.net + + # Accept locale-related environment variables + AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +@@ -129,7 +130,7 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE + AcceptEnv XMODIFIERS + + # override default of no subsystems +-Subsystem sftp /usr/libexec/sftp-server ++Subsystem sftp /usr/libexec/openssh/sftp-server + + # Example of overriding settings on a per-user basis + #Match User anoncvs +@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server + # AllowTcpForwarding no + # PermitTTY no + # ForceCommand cvs server ++DenyUsers admin secadmin operator ++# Filtered cipher, MAC and key exchange algorithm list, defaults can be ++# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex ++# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list ++# using "-" should be used for cipher, MAC and kex excluded suites. ++Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com ++MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com ++KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +-- +1.8.3.1 + diff --git a/connectivity/openssh/files/add-roaming-no-option-ssh-config.patch b/connectivity/openssh/files/add-roaming-no-option-ssh-config.patch deleted file mode 100644 index 6bf7f1739..000000000 --- a/connectivity/openssh/files/add-roaming-no-option-ssh-config.patch +++ /dev/null @@ -1,9 +0,0 @@ -Index: 6.2p2-r5.5/ssh_config -=================================================================== ---- 6.2p2-r5.5.orig/ssh_config -+++ 6.2p2-r5.5/ssh_config -@@ -45,3 +45,4 @@ Host * - # PermitLocalCommand no - # VisualHostKey no - KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -+UseRoaming no diff --git a/connectivity/openssh/files/sshd-security-hardening-and-disabling-password-based-rootssh.patch b/connectivity/openssh/files/sshd-security-hardening-and-disabling-password-based-rootssh.patch deleted file mode 100644 index 03a53eec3..000000000 --- a/connectivity/openssh/files/sshd-security-hardening-and-disabling-password-based-rootssh.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- - sshd_config | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - ---- a/sshd_config -+++ b/sshd_config -@@ -33,14 +33,14 @@ Protocol 2 - # Logging - # obsoletes QuietMode and FascistLogging - #SyslogFacility AUTH --#LogLevel INFO -+LogLevel INFO - - # Authentication: - --#LoginGraceTime 2m --#PermitRootLogin yes -+LoginGraceTime 1m -+PermitRootLogin without-password - #StrictModes yes --#MaxAuthTries 6 -+MaxAuthTries 4 - #MaxSessions 10 - - #RSAAuthentication yes -@@ -59,7 +59,7 @@ Protocol 2 - - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes --#PermitEmptyPasswords no -+PermitEmptyPasswords no - - # Change to no to disable s/key passwords - ChallengeResponseAuthentication no -@@ -85,10 +85,10 @@ ChallengeResponseAuthentication no - # and ChallengeResponseAuthentication to 'no'. - UsePAM yes - --#AllowAgentForwarding yes --#AllowTcpForwarding yes -+AllowAgentForwarding no -+AllowTcpForwarding no - #GatewayPorts no --#X11Forwarding no -+X11Forwarding no - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes -@@ -96,18 +96,19 @@ UsePAM yes - #TCPKeepAlive yes - #UseLogin no - UsePrivilegeSeparation yes --#PermitUserEnvironment no -+PermitUserEnvironment no - Compression no - ClientAliveInterval 15 - ClientAliveCountMax 4 --#UseDNS yes -+# Make SSH connect faster on bootup -+UseDNS no - #PidFile /var/run/sshd.pid - #MaxStartups 10 - #PermitTunnel no - #ChrootDirectory none - --# no default banner path --#Banner none -+# default banner path -+Banner /etc/issue.net - - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server -@@ -117,3 +118,5 @@ Subsystem sftp /usr/libexec/sftp-server - # X11Forwarding no - # AllowTcpForwarding no - # ForceCommand cvs server -+DenyUsers admin secadmin operator -+