Source: openssh Severity: critical Tags: patch security Justification: root security hole
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The latest batch of Snowden documents[1] has shown that misbehaving nationstates can decrypt many of the SSH ciphers at least some of the time. Every debian system ships with openssh-server and many rely on openssh in varied environments. The Debian defaults should be changed to fix this vulnerability. The attached patch updates openssh-server debian defaults through the postinst script according to bettercrypto.org[2], stribika[3] and my own work [4] by doing the following: - - only uses known secure Ciphers, KexAlgorithms and MACs - - deletes moduli smaller than 2048-bits - - disables known-insecure NIST ECDSA keys, Protocol 1 keys and 1024-bit DSA keys - - generates 4096-bit RSA host keys by default (instead of the upstream default 2048) Regards, Kacper Wysocki [1] http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html [2] http://bettercrypto.org/ [3] https://stribika.github.io/2015/01/04/secure-secure-shell.html [4] http://kacper.blog.redpill-linpro.com/archives/702 - -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) diff -burd openssh-6.7p1.orig/debian/openssh-server.postinst openssh-6.7p1/debian/openssh-server.postinst --- openssh-6.7p1.orig/debian/openssh-server.postinst 2014-11-03 21:29:20.000000000 +0100 +++ openssh-6.7p1/debian/openssh-server.postinst 2015-01-07 18:12:15.867093225 +0100 @@ -82,14 +82,12 @@ # defaults depending on the setting of Protocol. protocol="$(get_config_option Protocol)" [ "$protocol" ] || protocol=1,2 - if echo "$protocol" | grep 1 >/dev/null; then - echo /etc/ssh/ssh_host_key - fi if echo "$protocol" | grep 2 >/dev/null; then echo /etc/ssh/ssh_host_rsa_key - echo /etc/ssh/ssh_host_dsa_key - echo /etc/ssh/ssh_host_ecdsa_key echo /etc/ssh/ssh_host_ed25519_key + elif echo "$protocol" | grep 1 >/dev/null; then + # no choice but fall back to proto 1 + echo /etc/ssh/ssh_host_key fi fi } @@ -115,23 +113,34 @@ fi } - create_keys() { hostkeys="$(host_keys_required)" - create_key "Creating SSH1 key; this may take some time ..." \ - "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 - create_key "Creating SSH2 RSA key; this may take some time ..." \ - "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa - create_key "Creating SSH2 DSA key; this may take some time ..." \ - "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa - create_key "Creating SSH2 ECDSA key; this may take some time ..." \ - "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa + "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 create_key "Creating SSH2 ED25519 key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 } +filter_keys() { + hostkeys="$(host_keys_required)" + protocol="$(get_config_option Protocol)" + if echo "$protocol" | grep 2 >/dev/null && + echo "$hostkeys" | grep 'HostKey .*ssh_host_rsa_key' >/dev/null 2>&1 || + echo "$hostkeys" | grep 'HostKey .*ssh_host_ed25519_key' >/dev/null 2>&1; then + # protocol 1 is known broken, DSA is only 1024bit large, and ECDSA uses the NIST curves, + # so remove all of them + grep -ev '^ *HostKey .*ssh_host_(ecdsa|dsa)_key.*|^ *HostKey .*ssh_host_key.*' /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + + chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new + chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + else + echo "Warning, you do not have any secure keys enabled in your SSH config" >&2 + fi +} + + fix_loglevel_silent() { if [ "$(get_config_option LogLevel)" = SILENT ]; then @@ -183,8 +192,6 @@ Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -193,6 +200,11 @@ KeyRegenerationInterval 3600 ServerKeyBits 1024 +# Better Crypto to counter bad state actors +KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1...@openssh.com,aes256-ctr,aes128-ctr +MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-...@openssh.com + # Logging SyslogFacility AUTH LogLevel INFO @@ -314,6 +326,32 @@ db_get openssh-server/permit-root-login && [ "$RET" = true ]; then set_config_option PermitRootLogin without-password fi + if dpkg --compare-versions "$2" lt-nl 1:6.7p1-4; then + filter_keys + # upgrade kexalgorithm, ciphers and macs, but only when unset + if [ -z "$(get_config_option KexAlgorithms)" ]; then + set_config_option KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 + fi + if [ -z "$(get_config_option Ciphers)" ]; then + set_config_option Ciphers chacha20-poly1...@openssh.com,aes256-ctr,aes128-ctr + fi + if [ -z "$(get_config_option MACs)" ]; then + set_config_option MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-...@openssh.com + fi + # delete small moduli + if [ -f /etc/ssh/moduli ]; then + awk '{ if ($5 > 2000){ print } }' /etc/ssh/moduli > /etc/ssh/moduli.dpkg-new + chown --reference /etc/ssh/moduli /etc/ssh/moduli.dpkg-new + chmod --reference /etc/ssh/moduli /etc/ssh/moduli.dpkg-new + mv /etc/ssh/moduli.dpkg-new /etc/ssh/moduli + else + echo "Generating moduli, this will take a long time.." + ssh-keygen -G /tmp/moduli -b 4096 + ssh-keygen -T /etc/ssh/moduli -f /tmp/moduli + rm /tmp/moduli + fi + + fi fi #DEBHELPER#
signature.asc
Description: Digital signature