Tighten down some OpenSSH default settings

RESOLVED FIXED

Status

mozilla.org
MozillaBuild
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: RyanVM, Assigned: RyanVM)

Tracking

Details

(URL)

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
Needed to work around CVE-2016-0777. The global config lives in /etc/ssh/ssh_config.
(Assignee)

Comment 1

2 years ago
Going to use this as an opportunity to tighten down some other settings as well, like HashKnownHosts.
Summary: Add "UseRoaming no" to the global OpenSSH config → Tighten down some OpenSSH default settings
(Assignee)

Comment 2

2 years ago
I'm going off https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28OpenSSH_5.3.29 for recommended defaults.
(Assignee)

Comment 3

2 years ago
Created attachment 8708685 [details] [diff] [review]
add some default openssh settings

Not that we have many good options with version 5.4. Any recommendations beyond these, Guillaume?
Attachment #8708685 - Flags: review?(gdestuynder)
Comment on attachment 8708685 [details] [diff] [review]
add some default openssh settings

Review of attachment 8708685 [details] [diff] [review]:
-----------------------------------------------------------------

TLDR: r+
Longer version:
The recommendations from the wiki page are accurate for OpenSSH 5.3 as a server, albeit your link points to the SSH daemon configuration (/etc/ssh/sshd_config i.e. sshd/server). While it doesn't spell out the usage of OpenSSH 5.4 as a client (it has settings for recent clients only),  OpenSSH 5.4 has the addition of roaming in particular (which is affected by CVE-2016-0777), which you have cared for in your config (r+!).


This is only necessary when SSH is used as a client though. We have audited the current setups to the best of our knowledge (ie when we get full reporting from the host/it's running audisp-json + mig).

For reference, SSH client (/etc/ssh/ssh_config, i.e. ssh/client) recommended settings are at https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28connects_to_older_servers.29 (Again since you have OpenSSH 5.4 this does not support all options and your config looks good to me).

Finally, the best would be to upgrade to a newer OpenSSH/distribution of course. If using IT-provided machines, AFAIK CentOS 7 will be available at the end of this quarter as per https://bugzilla.mozilla.org/show_bug.cgi?id=1019782
Attachment #8708685 - Flags: review?(gdestuynder) → review+
(Assignee)

Comment 5

2 years ago
Thanks for double-checking. Unfortunately, we're pretty much stuck on version 5.4 until we're able to drop MSYS1 in favor of msys2, which is probably a ways out still. Unless you know of any alternate Windows options? I know Microsoft has been working on one as well, but it's still considered pre-release.

https://hg.mozilla.org/mozilla-build/rev/8f49cd85c7ac
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 6

2 years ago
plink.exe (from PuTTY) can kinda/sorta be used as an ssh client stand-in for many use cases.
You need to log in before you can comment on or make changes to this bug.