Tighten down some OpenSSH default settings



2 years ago
2 years ago


(Reporter: RyanVM, Assigned: RyanVM)





(1 attachment)



2 years ago
Needed to work around CVE-2016-0777. The global config lives in /etc/ssh/ssh_config.

Comment 1

2 years ago
Going to use this as an opportunity to tighten down some other settings as well, like HashKnownHosts.
Summary: Add "UseRoaming no" to the global OpenSSH config → Tighten down some OpenSSH default settings

Comment 2

2 years ago
I'm going off https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28OpenSSH_5.3.29 for recommended defaults.

Comment 3

2 years ago
Created attachment 8708685 [details] [diff] [review]
add some default openssh settings

Not that we have many good options with version 5.4. Any recommendations beyond these, Guillaume?
Attachment #8708685 - Flags: review?(gdestuynder)
Comment on attachment 8708685 [details] [diff] [review]
add some default openssh settings

Review of attachment 8708685 [details] [diff] [review]:

TLDR: r+
Longer version:
The recommendations from the wiki page are accurate for OpenSSH 5.3 as a server, albeit your link points to the SSH daemon configuration (/etc/ssh/sshd_config i.e. sshd/server). While it doesn't spell out the usage of OpenSSH 5.4 as a client (it has settings for recent clients only),  OpenSSH 5.4 has the addition of roaming in particular (which is affected by CVE-2016-0777), which you have cared for in your config (r+!).

This is only necessary when SSH is used as a client though. We have audited the current setups to the best of our knowledge (ie when we get full reporting from the host/it's running audisp-json + mig).

For reference, SSH client (/etc/ssh/ssh_config, i.e. ssh/client) recommended settings are at https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28connects_to_older_servers.29 (Again since you have OpenSSH 5.4 this does not support all options and your config looks good to me).

Finally, the best would be to upgrade to a newer OpenSSH/distribution of course. If using IT-provided machines, AFAIK CentOS 7 will be available at the end of this quarter as per https://bugzilla.mozilla.org/show_bug.cgi?id=1019782
Attachment #8708685 - Flags: review?(gdestuynder) → review+

Comment 5

2 years ago
Thanks for double-checking. Unfortunately, we're pretty much stuck on version 5.4 until we're able to drop MSYS1 in favor of msys2, which is probably a ways out still. Unless you know of any alternate Windows options? I know Microsoft has been working on one as well, but it's still considered pre-release.

Last Resolved: 2 years ago
Resolution: --- → FIXED

Comment 6

2 years ago
plink.exe (from PuTTY) can kinda/sorta be used as an ssh client stand-in for many use cases.
You need to log in before you can comment on or make changes to this bug.