Hardening and support phone-home users

author: Mike Crute <mcrute@gmail.com> 2017-01-25 05:10:21 +0000
committer: Mike Crute <mcrute@gmail.com> 2017-01-25 05:10:21 +0000
commit: 36c74ae68f977335477fefd6d56058fbbce5c14d (patch)
tree: 155c1a838a62f3b8b7e9f2dd565c5a0da0242a4a /ssh-bastion
parent: 23f411a3cbed26f6f57299596657c2bc56f54256 (diff)
download: dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.bz2
dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.xz
dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.zip
1 files changed, 30 insertions, 10 deletions
diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config
index dd65731..3177765 100644
--- a/ssh-bastion/etc/sshd_config
+++ b/ssh-bastion/etc/sshd_config
@@ -1,7 +1,6 @@
 # vim:set ft=sshdconfig
 HostKey /srv/ssh/hostkeys/rsa_key
-HostKey /srv/ssh/hostkeys/ecdsa_key
 HostKey /srv/ssh/hostkeys/ed25519_key
 # By default SSH attempts to chdir to the logged-in user's home directory.  The
@@ -14,18 +13,11 @@ Protocol 2
 # Bind a port above 1024 so we can run ssh as an unpriviledged user
 Port 4321
-PermitTTY no
-#ForceCommand /bin/false
 SyslogFacility AUTH
 LogLevel INFO
 PrintLastLog yes
-PidFile /var/run/sshd.pid
 StrictModes yes
+PidFile /var/run/sshd.pid
-AuthorizedKeysFile /srv/ssh/users/%u/ssh
 PubkeyAuthentication yes
 HostbasedAuthentication no
@@ -33,6 +25,7 @@ IgnoreRhosts yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 RhostsRSAAuthentication no
+AuthorizedKeysFile /srv/ssh/users/%u/ssh
 UsePAM yes
 UseLogin no
@@ -40,13 +33,24 @@ PermitRootLogin no
 ChallengeResponseAuthentication yes
 AuthenticationMethods publickey,keyboard-interactive:pam
+# Limit the number of authentication attemps per connection. SSH will log
+# failues once attempts reach half this number so this should also log all
+# authentication failures as well.
+PermitTTY no
+MaxAuthTries 2
+ForceCommand /usr/bin/nologin
+# Disable all interactive sessions. Users will still be allowed to jump through
+# the host but not be allowed to login or run any commands.
+MaxSessions 0
 # Use an unprivileged child process to accept connections and
 # authenticate the user before spinning up another process as
 # the user.
 UsePrivilegeSeparation yes
 # This turns off reverse lookups of the originating host which hang sshd
-# on DNS timeouts when DNS is down.  This also breaks "from=" lines in
+# on DNS timeouts when DNS is down. This also breaks "from=" lines in
 # authorizd_keys files which must be converted to dotted quad ip addrs.
 UseDNS no
@@ -76,3 +80,19 @@ MaxSessions 100
 X11Forwarding no
 PrintMotd no
+# Used hardened crypto algorithms
+# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+# Enable gateway ports for phone-home bastions so that administrators can
+# connect back to the forwarded ports without needing ssh access to the bastion
+# host itself. Also locks down what can be forwarded and to where.
+Match user phonehome
+    GatewayPorts yes
+    AuthenticationMethods publickey
+    AllowTcpForwarding remote
+    PermitOpen none
+Match all
author	Mike Crute <mcrute@gmail.com>	2017-01-25 05:10:21 +0000
committer	Mike Crute <mcrute@gmail.com>	2017-01-25 05:10:21 +0000
commit	36c74ae68f977335477fefd6d56058fbbce5c14d (patch)
tree	155c1a838a62f3b8b7e9f2dd565c5a0da0242a4a /ssh-bastion
parent	23f411a3cbed26f6f57299596657c2bc56f54256 (diff)
download	dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.bz2 dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.xz dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.zip

diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config index dd65731..3177765 100644 --- a/ssh-bastion/etc/sshd_config +++ b/ssh-bastion/etc/sshd_config
@@ -1,7 +1,6 @@
1	# vim:set ft=sshdconfig	1	# vim:set ft=sshdconfig
2		2
3	HostKey /srv/ssh/hostkeys/rsa_key	3	HostKey /srv/ssh/hostkeys/rsa_key
4	HostKey /srv/ssh/hostkeys/ecdsa_key
5	HostKey /srv/ssh/hostkeys/ed25519_key	4	HostKey /srv/ssh/hostkeys/ed25519_key
6		5
7	# By default SSH attempts to chdir to the logged-in user's home directory. The	6	# By default SSH attempts to chdir to the logged-in user's home directory. The
@@ -14,18 +13,11 @@ Protocol 2
14	# Bind a port above 1024 so we can run ssh as an unpriviledged user	13	# Bind a port above 1024 so we can run ssh as an unpriviledged user
15	Port 4321	14	Port 4321
16		15
17	PermitTTY no
18	#ForceCommand /bin/false
19
20	SyslogFacility AUTH	16	SyslogFacility AUTH
21	LogLevel INFO	17	LogLevel INFO
22	PrintLastLog yes	18	PrintLastLog yes
23
24	PidFile /var/run/sshd.pid
25
26	StrictModes yes	19	StrictModes yes
27		20	PidFile /var/run/sshd.pid
28	AuthorizedKeysFile /srv/ssh/users/%u/ssh
29		21
30	PubkeyAuthentication yes	22	PubkeyAuthentication yes
31	HostbasedAuthentication no	23	HostbasedAuthentication no
@@ -33,6 +25,7 @@ IgnoreRhosts yes
33	PasswordAuthentication no	25	PasswordAuthentication no
34	PermitEmptyPasswords no	26	PermitEmptyPasswords no
35	RhostsRSAAuthentication no	27	RhostsRSAAuthentication no
		28	AuthorizedKeysFile /srv/ssh/users/%u/ssh
36		29
37	UsePAM yes	30	UsePAM yes
38	UseLogin no	31	UseLogin no
@@ -40,13 +33,24 @@ PermitRootLogin no
40	ChallengeResponseAuthentication yes	33	ChallengeResponseAuthentication yes
41	AuthenticationMethods publickey,keyboard-interactive:pam	34	AuthenticationMethods publickey,keyboard-interactive:pam
42		35
		36	# Limit the number of authentication attemps per connection. SSH will log
		37	# failues once attempts reach half this number so this should also log all
		38	# authentication failures as well.
		39	PermitTTY no
		40	MaxAuthTries 2
		41	ForceCommand /usr/bin/nologin
		42
		43	# Disable all interactive sessions. Users will still be allowed to jump through
		44	# the host but not be allowed to login or run any commands.
		45	MaxSessions 0
		46
43	# Use an unprivileged child process to accept connections and	47	# Use an unprivileged child process to accept connections and
44	# authenticate the user before spinning up another process as	48	# authenticate the user before spinning up another process as
45	# the user.	49	# the user.
46	UsePrivilegeSeparation yes	50	UsePrivilegeSeparation yes
47		51
48	# This turns off reverse lookups of the originating host which hang sshd	52	# This turns off reverse lookups of the originating host which hang sshd
49	# on DNS timeouts when DNS is down. This also breaks "from=" lines in	53	# on DNS timeouts when DNS is down. This also breaks "from=" lines in
50	# authorizd_keys files which must be converted to dotted quad ip addrs.	54	# authorizd_keys files which must be converted to dotted quad ip addrs.
51	UseDNS no	55	UseDNS no
52		56
@@ -76,3 +80,19 @@ MaxSessions 100
76		80
77	X11Forwarding no	81	X11Forwarding no
78	PrintMotd no	82	PrintMotd no
		83
		84	# Used hardened crypto algorithms
		85	# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
		86	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
		87	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
		88	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
		89
		90	# Enable gateway ports for phone-home bastions so that administrators can
		91	# connect back to the forwarded ports without needing ssh access to the bastion
		92	# host itself. Also locks down what can be forwarded and to where.
		93	Match user phonehome
		94	GatewayPorts yes
		95	AuthenticationMethods publickey
		96	AllowTcpForwarding remote
		97	PermitOpen none
		98	Match all