From 23cd006724755dac1a8fb22e6dd0126d19d3a00c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 14:06:10 -0400 Subject: [PATCH 1/2] so-ssh-harden fixes * Change when script is run during setup * Add newlines to sshd config for legibility --- salt/common/tools/sbin/so-ssh-harden | 8 +++++++- setup/so-functions | 2 -- setup/so-setup | 1 + 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 1fd7d58d9..5891e4309 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -38,8 +38,12 @@ print_msg() { fi } +# Add newline to ssh for legibility +echo "" >> /etc/ssh/sshd_config + if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "ciphers" "After" echo "" @@ -51,6 +55,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "After" echo "" @@ -62,6 +67,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "macs" "After" echo "" @@ -73,6 +79,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "After" echo "" @@ -90,4 +97,3 @@ fi {% if grains['os'] != 'CentOS' %} print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." {% endif %} - diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..deeefb3ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1436,8 +1436,6 @@ install_cleanup() { info "Removing so-setup permission entry from sudoers file" sed -i '/so-setup/d' /etc/sudoers fi - - so-ssh-harden -q } import_registry_docker() { diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..ba76b303e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -888,6 +888,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 + so-ssh-harden -q >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' From 982f2de33ce0e6025b49552345eb174f15652bc0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Mar 2021 09:48:00 -0400 Subject: [PATCH 2/2] [fix] Refactor so-ssh-harden * Create a temp file to make changes, and only copy back over if any changes are made * Test changes as they're made, and exit if the test fails * Only add lines if they don't already exist in the config --- salt/common/tools/sbin/so-ssh-harden | 152 +++++++++++++++++---------- 1 file changed, 98 insertions(+), 54 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 5891e4309..0e0b28b39 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -6,14 +6,16 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true fi +sshd_config=/etc/ssh/sshd_config +temp_config=/tmp/sshd_config + before= after= reload_required=false -print_sshd_t() { +check_sshd_t() { local string=$1 local state=$2 - echo "${state}:" local grep_out grep_out=$(sshd -T | grep "^${string}") @@ -23,8 +25,17 @@ print_sshd_t() { else after=$grep_out fi +} - echo $grep_out +print_diff() { + local type=$1 + local diff + diff=$(diff -dqbB <(echo $before) <(echo $after)) + + if [[ -n $diff ]]; then + printf '%s\n' "$type" "$diff" + echo "" + fi } print_msg() { @@ -33,67 +44,100 @@ print_msg() { printf "%s\n" \ "----" \ "$msg" \ - "----" \ - "" + "----" fi } -# Add newline to ssh for legibility -echo "" >> /etc/ssh/sshd_config +add_if_missing() { + local string=$1 + if ! grep -q "$1" $temp_config; then + printf "%s\n\n" "$1" >> $temp_config + reload_required=true + fi +} -if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi -sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" -fi +test_config() { + local msg + msg=$(sshd -t -f $temp_config) + local ret=$? -if [[ $before != $after ]]; then - reload_required=true -fi + if [[ -n $msg ]]; then + echo "Error found in temp sshd config:" + echo $msg + fi -if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi -sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" -fi + return $ret +} -if [[ $before != $after ]]; then - reload_required=true -fi +main() { + if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi + cp $sshd_config $temp_config -if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi -sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" -fi + # Add newline to ssh for legibility + echo "" >> $temp_config -if [[ $before != $after ]]; then - reload_required=true -fi + # Ciphers + check_sshd_t "ciphers" "Before" + local cipher_string + cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") -if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi -sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" -fi + check_sshd_t "ciphers" "After" -if [[ $before != $after ]]; then - reload_required=true -fi + if ! [[ $quiet ]]; then print_diff "ciphers"; fi -if [[ $reload_required == true ]]; then - print_msg "Reloading sshd to load config changes..." - systemctl reload sshd -fi + if [[ $before != $after ]]; then + add_if_missing "$cipher_string" && test_config || exit 1 + fi -{% if grains['os'] != 'CentOS' %} -print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -{% endif %} + # KexAlgorithms + check_sshd_t "kexalgorithms" "Before" + + local kexalg_string + kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") + + check_sshd_t "kexalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$kexalg_string" && test_config || exit 1 + fi + + # Macs + check_sshd_t "macs" "Before" + local macs_string + macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") + + check_sshd_t "macs" "After" + + if ! [[ $quiet ]]; then print_diff "macs"; fi + + if [[ $before != $after ]]; then + add_if_missing "$mac_string" && test_config || exit 1 + fi + + # HostKeyAlgorithms + check_sshd_t "hostkeyalgorithms" "Before" + local hostkeyalg_string + hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") + + check_sshd_t "hostkeyalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$hostkeyalg_string" && test_config || exit 1 + fi + + if [[ $reload_required == true ]]; then + mv -f $temp_config $sshd_config + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi + systemctl reload sshd + print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + else + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi + rm -f $temp_config + fi +} + +main