mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 16:14:40 +00:00
SSH: optional KexAlgorithms, Ciphers and MACs to harden security. closes https://github.com/opnsense/core/issues/3975
This commit is contained in:
Ad Schellevis
parent
005f7744f4
commit
5df590cd13
@ -173,6 +173,15 @@ function openssh_configure_do($verbose = false, $interface = '')
|
||||
$sshconf .= "ChallengeResponseAuthentication no\n";
|
||||
$sshconf .= "PasswordAuthentication no\n";
|
||||
}
|
||||
if (!empty($sshcfg['kex'])) {
|
||||
$sshconf .= "KexAlgorithms {$sshcfg['kex']}\n";
|
||||
}
|
||||
if (!empty($sshcfg['ciphers'])) {
|
||||
$sshconf .= "Ciphers {$sshcfg['ciphers']}\n";
|
||||
}
|
||||
if (!empty($sshcfg['macs'])) {
|
||||
$sshconf .= "MACs {$sshcfg['macs']}\n";
|
||||
}
|
||||
foreach ($keys_all as $name) {
|
||||
$file = "/conf/sshd/{$name}";
|
||||
if (!file_exists($file)) {
|
||||
|
||||
43
src/opnsense/scripts/openssh/ssh_query.py
Executable file
43
src/opnsense/scripts/openssh/ssh_query.py
Executable file
@ -0,0 +1,43 @@
|
||||
#!/usr/local/bin/python3
|
||||
|
||||
"""
|
||||
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice,
|
||||
this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
||||
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
"""
|
||||
import subprocess
|
||||
import ujson
|
||||
import argparse
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('option', help='query option', choices=['kex', 'mac', 'cipher'])
|
||||
args = parser.parse_args()
|
||||
|
||||
result = list()
|
||||
for l in subprocess.run(['/usr/local/bin/ssh', '-Q', args.option], capture_output=True).stdout.decode().split('\n'):
|
||||
if len(l.strip()) > 1:
|
||||
result.append(l.strip())
|
||||
sorted(result)
|
||||
print(ujson.dumps(result))
|
||||
@ -15,3 +15,9 @@ command:/bin/pkill -TERM sshd
|
||||
parameters:
|
||||
type:script
|
||||
message:stopping openssh
|
||||
|
||||
[query]
|
||||
command:/usr/local/opnsense/scripts/openssh/ssh_query.py
|
||||
parameters: %s
|
||||
type:script_output
|
||||
message: query options %s
|
||||
|
||||
@ -66,6 +66,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig['enablesshd'] = $config['system']['ssh']['enabled'];
|
||||
$pconfig['sshport'] = $config['system']['ssh']['port'];
|
||||
$pconfig['sshinterfaces'] = !empty($config['system']['ssh']['interfaces']) ? explode(',', $config['system']['ssh']['interfaces']) : array();
|
||||
$pconfig['ssh-kex'] = !empty($config['system']['ssh']['kex']) ? explode(',', $config['system']['ssh']['kex']) : array();
|
||||
$pconfig['ssh-ciphers'] = !empty($config['system']['ssh']['ciphers']) ? explode(',', $config['system']['ssh']['ciphers']) : array();
|
||||
$pconfig['ssh-macs'] = !empty($config['system']['ssh']['macs']) ? explode(',', $config['system']['ssh']['macs']) : array();
|
||||
|
||||
/* XXX listtag "fun" */
|
||||
$pconfig['sshlogingroup'] = !empty($config['system']['ssh']['group'][0]) ? $config['system']['ssh']['group'][0] : null;
|
||||
$pconfig['sshpasswordauth'] = isset($config['system']['ssh']['passwordauth']);
|
||||
@ -235,6 +239,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
|
||||
$config['system']['ssh']['interfaces'] = !empty($pconfig['sshinterfaces']) ? implode(',', $pconfig['sshinterfaces']) : null;
|
||||
|
||||
$config['system']['ssh']['kex'] = !empty($pconfig['ssh-kex']) ? implode(',', $pconfig['ssh-kex']) : null;
|
||||
$config['system']['ssh']['ciphers'] = !empty($pconfig['ssh-ciphers']) ? implode(',', $pconfig['ssh-ciphers']) : null;
|
||||
$config['system']['ssh']['macs'] = !empty($pconfig['ssh-macs']) ? implode(',', $pconfig['ssh-macs']) : null;
|
||||
|
||||
|
||||
if (!empty($pconfig['enablesshd'])) {
|
||||
$config['system']['ssh']['enabled'] = 'enabled';
|
||||
} elseif (isset($config['system']['ssh']['enabled'])) {
|
||||
@ -709,6 +718,60 @@ $(document).ready(function() {
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sshkex" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key exchange algorithms"); ?></td>
|
||||
<td>
|
||||
<select name="ssh-kex[]" class="selectpicker" multiple="multiple" data-live-search="true" title="<?=gettext("System defaults");?>">
|
||||
<?php
|
||||
$options = json_decode(configd_run("openssh query kex"), true);
|
||||
foreach ($options = empty($options) ? array() : $options as $option):?>
|
||||
<option value="<?=$option;?>" <?= !empty($pconfig['ssh-kex']) && in_array($option, $pconfig['ssh-kex']) ? 'selected="selected"' : '' ?>>
|
||||
<?=$option;?>
|
||||
</option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sshkex">
|
||||
<?=gettext("The key exchange methods that are used to generate per-connection keys");?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sshciphers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Ciphers"); ?></td>
|
||||
<td>
|
||||
<select name="ssh-ciphers[]" class="selectpicker" multiple="multiple" data-live-search="true" title="<?=gettext("System defaults");?>">
|
||||
<?php
|
||||
$options = json_decode(configd_run("openssh query cipher"), true);
|
||||
foreach ($options = empty($options) ? array() : $options as $option):?>
|
||||
<option value="<?=$option;?>" <?= !empty($pconfig['ssh-ciphers']) && in_array($option, $pconfig['ssh-ciphers']) ? 'selected="selected"' : '' ?>>
|
||||
<?=$option;?>
|
||||
</option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sshciphers">
|
||||
<?=gettext("The ciphers to encrypt the connection");?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sshmacs" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("MACs"); ?></td>
|
||||
<td>
|
||||
<select name="ssh-macs[]" class="selectpicker" multiple="multiple" data-live-search="true" title="<?=gettext("System defaults");?>">
|
||||
<?php
|
||||
$options = json_decode(configd_run("openssh query mac"), true);
|
||||
foreach ($options = empty($options) ? array() : $options as $option):?>
|
||||
<option value="<?=$option;?>" <?= !empty($pconfig['ssh-macs']) && in_array($option, $pconfig['ssh-macs']) ? 'selected="selected"' : '' ?>>
|
||||
<?=$option;?>
|
||||
</option>
|
||||
<?php
|
||||
endforeach;?>
|
||||
</select>
|
||||
<div class="hidden" data-for="help_for_sshmacs">
|
||||
<?=gettext("The message authentication codes used to detect traffic modification");?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="content-box tab-content table-responsive __mb">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user