cookbook 'ssh-hardening', '= 1.3.0'
ssh-hardening
(20) Versions
1.3.0
-
Follow38
This cookbook installs and provides secure ssh and sshd configurations.
cookbook 'ssh-hardening', '= 1.3.0', :supermarket
knife supermarket install ssh-hardening
knife supermarket download ssh-hardening
ssh-hardening (Chef cookbook)
Description
This cookbook provides secure ssh-client and ssh-server configurations.
Requirements
- Chef >= 12.5.1
Platform
- Debian 7, 8
- Ubuntu 12.04, 14.04, 16.04
- RHEL 6, 7
- CentOS 6, 7
- Oracle Linux 6, 7
- Fedora 23, 24
- OpenSuse Leap 42.1
- OpenSuse 13.2
Attributes
-
['network']['ipv6']['enable']
- true if IPv6 is needed -
['ssh'][{'client', 'server'}]['cbc_required']
- true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. -
['ssh'][{'client', 'server'}]['weak_hmac']
- true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. -
['ssh'][{'client', 'server'}]['weak_kex']
- true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. -
['ssh']['client']['roaming']
- enable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled. -
['ssh']['allow_root_with_key']
-false
to disable root login altogether. Set totrue
to allow root to login via key-based mechanism. -
['ssh']['ports']
- ports to which ssh-server should listen to and ssh-client should connect to -
['ssh']['listen_to']
- one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! -
['ssh']['remote_hosts']
- one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons! -
['ssh']['allow_tcp_forwarding']
-false
to disable TCP Forwarding. Set totrue
to allow TCP Forwarding -
['ssh']['allow_agent_forwarding']
-false
to disable Agent Forwarding. Set totrue
to allow Agent Forwarding -
['ssh']['allow_x11_forwarding']
-false
to disable X11 Forwarding. Set totrue
to allow X11 Forwarding -
['ssh']['use_pam']
-false
to disable pam authentication -
['ssh']['print_motd']
-false
to disable printing of the MOTD -
['ssh']['print_last_log']
-false
to disable display of last login information -
['ssh']['banner']
-nil
to disable banner or provide a path like '/etc/issue.net' -
['ssh']['max_auth_tries']
- controlsMaxAuthTries
; the number of authentication attempts per connection. -
['ssh']['max_sessions']
- controlsMaxSessions
; the number of sessions per connection. -
['ssh']['deny_users']
-[]
to configureDenyUsers
, if specified login is disallowed for user names that match one of the patterns. -
['ssh']['allow_users']
-[]
to configureAllowUsers
, if specified, login is allowed only for user names that match one of the patterns. -
['ssh']['deny_groups']
-[]
to configureDenyGroups
, if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -
['ssh']['allow_groups']
-[]
to configureAllowGroups
, if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -
['ssh']['use_dns']
-nil
to configure if sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. -
['ssh']['sftp']['enable']
-false
to disable the SFTP feature of OpenSSHd. Set totrue
to enable SFTP. -
['ssh']['sftp']['group']
-sftponly
to configure theMatch Group
option of SFTP to allow SFTP only for dedicated users -
['ssh']['sftp']['chroot']
-/home/%u
to configure the directory where the SFTP user should be chrooted
Data Bags
DEPRECATION WARNING: Support for managing authorized_keys for the root account will be removed from this cookbook in the next major release. Please use alternative cookbooks for that.
This cookbook used to handle authorized keys for the root user, but that support will be removed in the next major release. Use other cookbooks to set up your users.
Old behaviour:
Have users in your data_bag/users/
directory. This cookbook looks for users inside this folder with a ssh_rootkey
.
Example:
First you have to find out the ssh-key of the user you want to allow. A typical example for this is
cat ~/.ssh/id_rsa.pub
If that folder doesn't exist or you don't know what this is all about, please read a SSH tutorial for your blend of operating system first.
You can now add this key to the data bag. Example for dada:
Example for data_bags/users/dada.json
{
"id" : "dada",
// ... other stuff ...
"ssh_rootkey" : "ssh-rsa AAAA....mail.com"
}
You can then access
ssh dada@yourmachines
Usage
Add the recipes to the run_list:
"recipe[ssh-hardening]"
This will install ssh-server and ssh-client. You can alternatively choose only one via:
"recipe[ssh-hardening::server]"
"recipe[ssh-hardening::client]"
Configure attributes:
"ssh" : {
"listen_to" : "10.2.3.4"
}
The default value for listen_to
is 0.0.0.0
. It is highly recommended to change the value.
SFTP
To enable the SFTP configuration add one of the following recipes to the run_list:
"recipe[ssh-hardening]"
or
"recipe[ssh-hardening::server]"
Configure attributes:
"ssh" : {
"sftp" : {
"enable" : true,
"chroot" : "/home/sftp/%u",
"group" : "sftusers"
}
}
This will enable the SFTP Server and chroot every user in the sftpusers
group to the /home/sftp/%u
directory.
Local Testing
For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen
. If you are not familiar with test-kitchen
please have a look at their guide. We are writing our test with InSpec.
Next install test-kitchen:
# Install dependencies gem install bundler bundle install # Do lint checks bundle exec rake lint # fast test on one machine bundle exec kitchen test default-ubuntu-1204 # test on all machines bundle exec kitchen test # for development bundle exec kitchen create default-ubuntu-1204 bundle exec kitchen converge default-ubuntu-1204
For more information see test-kitchen
FAQ / Pitfalls
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadow
If the hash includes an !
, your account is locked:
myuser:!:16280:7:60:7:::
The proper way to solve this is to unlock the account (passwd -u myuser
). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuser
Alternatively, if you intend to use PAM, you enabled it via ['ssh']['use_pam'] = true
. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
If you find this isn't enough, feel free to activate the attributes cbc_requires
for ciphers, weak_hmac
for MACs and weak_kex
for KEX in the namespaces ['ssh']['client']
or ['ssh']['server']
based on where you want to support them.
Why can't I log to the SFTP server after I added a user to my SFTP group?
This is a ChrootDirectory ownership problem. sshd will reject SFTP connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd considers insecure. sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner. So, for example, if the chroot environment is /home must be owned by root.
See https://wiki.archlinux.org/index.php/SFTP_chroot
Deprecation Notices
node['ssh']['cbc_required']
has been deprecated in favour ofnode['ssh']['client']['cbc_required']
andnode['ssh']['server']['cbc_required']
.node['ssh']['weak_hmac']
has been deprecated in favour ofnode['ssh']['client']['weak_hmac']
andnode['ssh']['server']['weak_hmac']
.node['ssh']['weak_kex']
has been deprecated in favour ofnode['ssh']['client']['weak_kex']
andnode['ssh']['server']['weak_kex']
.The old attributes are still supported but will be removed in the future. In case one of the legacy attributes is set, it still precedes the newly added attributes to allow for backward compatibility.
Contributors + Kudos
- Dominik Richter arlimus
- Christoph Hartmann chris-rock
- Bernhard Weisshuhn (a.k.a. bernhorst) bkw
- Patrick Munch atomic111
- Edmund Haselwanter ehaselwanter
- Dana Merrick dmerrick
- Anton Rieder aried3r
- Trent Petersen Rockstar04
- Petri Sirkkala sirkkalap
- Jan Klare jklare
- Zac Hallett zhallett
- Petri Sirkkala sirkkalap
- stribika
This cookbook is mostly based on guides by:
- NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5
- Deutsche Telekom, Group IT Security, Security Requirements (German)
Thanks to all of you!!
Contributing
See [contributor guideline](CONTRIBUTING.md).
License and Author
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Change Log
v1.3.0 (2016-11-15)
Implemented enhancements:
- Support for OpenSuse Leap, new enterprise distro of SUSE #128 (artem-sidorenko)
- Avoid duplicate resource names because of warnings #127 (artem-sidorenko)
Closed issues:
- Allow to configure ChallengeResponseAuthentication (currently it's hardcoded to no) #125
- Make LoginGraceTime configurable #116
- Failures when running kitchen test with tests-compliance-ssh profile #113
- ERROR: Role ssh (included by 'top level') is in the runlist but does not exist #101
- Allow to configure MaxAuthTries #100
- Default value for ['ssh']['allow_tcp_forwarding'] breaks Chef Zero #93
- Wrong detection of os version number on debian 8 #85
Merged pull requests:
- Distro information for supermarket #138 (artem-sidorenko)
- Allow login grace time to be configurable #132 (artem-sidorenko)
- Allow to configure ChallengeResponseAuthentication #131 (artem-sidorenko)
- Configurable SSH Banner File #130 (sidxz)
- Update kitchen vagrant configuration #129 (artem-sidorenko)
- Parameterise Banner and DebianBanner as attributes #126 (tsenart)
- Update Rubocop, Foodcritic, and Chefspec coverage #124 (shortdudey123)
v1.2.1 (2016-09-25)
Implemented enhancements:
- add suse and opensuse support #122 (chris-rock)
- activate fedora integration tests in travis #120 (chris-rock)
Merged pull requests:
- Fix deprecation warnings #123 (operatingops)
- Use bracket syntax in attributes/default.rb #121 (aried3r)
- Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 #119 (atomic111)
- change hardening-io to dev-sec domain for build status and code coverage #118 (atomic111)
v1.2.0 (2016-05-29)
Implemented enhancements:
- add changelog generator #104 (chris-rock)
Closed issues:
- SFTP not configurable #110
- default to 'UseRoaming no' #109
- Consider using blank config_disclaimer by default #94
Merged pull requests:
- Document MaxAuthTries and MaxSessions added in 66e7ebfd #115 (bazbremner)
- Use new InSpec integration tests #114 (atomic111)
- Add conditional to cover systemd in Ubuntu 15.04+ #112 (elijah)
- Feature/sftp #111 (jmara)
- Disable experimental client roaming #108 (ascendantlogic)
- Made MaxAuthTries and MaxSessions configurable #107 (runningman84)
- added inspec support (kitchen.yml and Gemfile) #106 (atomic111)
- Apply PasswordAuthentication attribute to SSH #105 (SteveLowe)
- Configurable PasswordAuthentication #102 (sumitgoelpw)
- x11 forwarding should be configurable like tcp and agent forwarding #99 (patcon)
v1.1.0 (2015-04-28)
Closed issues:
- Use new "UseDNS" openssh default #81
- UseDNS no #79
- Debian 8.0 (Jessie) ships with OpenSSH 6.7p1, enable modern algos #77
- Allow management of allow/deny users #75
- update tutorial.md #55
v1.0.3 (2015-01-14)
Closed issues:
- Suggestion: Don't populate /root/.ssh/authorized_keys by default #69
- prefer etm MACs #66
- disable sha1-based key exchanges #64
v1.0.2 (2015-01-12)
Closed issues:
- release on supermarket #62
- host_key_files should not include ssh_host_ecdsa_key on every host #61
- Protocol 1 options while SSH 2 is hard coded #57
- Configuration of root keys via databag and attributes #37
- Bad ciphers on debian 7.0 #25
- update ssh service on changes #24
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
1.3.0 passed this metric
Foodcritic Metric
1.3.0 passed this metric
1.3.0 passed this metric
1.3.0 passed this metric