From 49dc104dd75ff7c84380c7a098954a1ce4190f5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Thu, 23 Mar 2023 19:09:29 +0000 Subject: [PATCH] chore: push sandbox and tester images from Deb10 to Deb11 Also remove old config files from previsously dropped OS versions --- .github/workflows/tests.yml | 6 +- bin/admin/install | 6 +- docker/Dockerfile.sandbox | 2 +- docker/Dockerfile.tester | 2 +- etc/ssh/ssh_config.debian7 | 113 ---------------------------- etc/ssh/ssh_config.debian8 | 118 ----------------------------- etc/ssh/sshd_config.debian7 | 122 ------------------------------ etc/ssh/sshd_config.debian8 | 146 ------------------------------------ 8 files changed, 7 insertions(+), 508 deletions(-) delete mode 100644 etc/ssh/ssh_config.debian7 delete mode 100644 etc/ssh/ssh_config.debian8 delete mode 100644 etc/ssh/sshd_config.debian7 delete mode 100644 etc/ssh/sshd_config.debian8 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a3bec06..49e24ea 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -6,13 +6,13 @@ on: jobs: tests_short: - name: Short (deb10 only, no cc) + name: Short (deb11 only, no cc) runs-on: ubuntu-latest if: contains(github.event.pull_request.labels.*.name, 'tests:short') steps: - uses: actions/checkout@v2 - - name: run tests inside a debian10 docker - run: tests/functional/docker/docker_build_and_run_tests.sh debian10 --skip-consistency-check --no-pause-on-fail + - name: run tests inside a debian11 docker + run: tests/functional/docker/docker_build_and_run_tests.sh debian11 --skip-consistency-check --no-pause-on-fail env: DOCKER_TTY: false diff --git a/bin/admin/install b/bin/admin/install index a2c2072..efaf704 100755 --- a/bin/admin/install +++ b/bin/admin/install @@ -272,10 +272,8 @@ if [ "${opt[modify-ssh-config]}" = 1 ] || [ "${opt[modify-sshd-config]}" = 1 ] ; filesuffix=$short_suffix_name elif [ "$OS_FAMILY" = Linux ]; then if [ "$LINUX_DISTRO" = ubuntu ]; then - if [ "$DISTRO_VERSION_MAJOR" -le 14 ]; then - filesuffix=debian7 - elif [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then - filesuffix=debian8 + if [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then + filesuffix=debian9 elif [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then filesuffix=debian10 elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then diff --git a/docker/Dockerfile.sandbox b/docker/Dockerfile.sandbox index 1d1149f..a18eb02 100644 --- a/docker/Dockerfile.sandbox +++ b/docker/Dockerfile.sandbox @@ -1,4 +1,4 @@ -FROM debian:buster +FROM debian:bullseye LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # first, copy everything we need diff --git a/docker/Dockerfile.tester b/docker/Dockerfile.tester index 4ec5346..3640a60 100644 --- a/docker/Dockerfile.tester +++ b/docker/Dockerfile.tester @@ -1,4 +1,4 @@ -FROM debian:buster +FROM debian:bullseye LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # install prerequisites diff --git a/etc/ssh/ssh_config.debian7 b/etc/ssh/ssh_config.debian7 deleted file mode 100644 index 329595f..0000000 --- a/etc/ssh/ssh_config.debian7 +++ /dev/null @@ -1,113 +0,0 @@ -# Hardened SSH bastion config -- modify wisely! -# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH -# With modifications where applicable/needed - -# hardened params follow. every non-needed feature is disabled by default, -# following the principle of least rights and least features (more enabled -# features mean a more important attack surface). - -# === FEATURES === - -# disable non-needed sshd features -# mitigates CVE-0216-0778 -UseRoaming no -# other unwanted features -Tunnel no -ForwardAgent no -ForwardX11 no -GatewayPorts no -ControlMaster no - -# === CRYPTOGRAPHY === - -# enforce the use of ssh version 2 protocol, version 1 is disabled. -# all sshd_config options regarding protocol 1 are therefore omitted. -Protocol 2 - -# list of allowed ciphers. -# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure) -# we deny arcfour(rc4), 3des, blowfish and cast -# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc -# known gotchas: -# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED -# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -# list of allowed message authentication code algorithms. -# we prefer umac (has been proven secure) then sha2. -# we deny md5 and sha1 -# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1 -# Known gotchas: -# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 -# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 -MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 - -# List of allowed key exchange algorithms. -# we allow diffie hellman with group exchange using sha256 which is -# the most secure dh-based kex. -# we avoid algorithms based on the disputed NIST curves, and anything based -# on sha1. -# known gotchas: -# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL -# - OmniOS 5.11 needs diffie-hellman-group1-sha1 -# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1 -# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -KexAlgorithms diffie-hellman-group-exchange-sha256 - -# === AUTHENTICATION === - -# we allow only public key authentication ... -PubkeyAuthentication yes -# ... not password nor keyboard-interactive -# ... (set to yes if sshpass is to be used) -PasswordAuthentication no -# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code! -ChallengeResponseAuthentication yes -KbdInteractiveAuthentication yes -# ... not host-based -HostbasedAuthentication no -# ... and not gssapi auth. -GSSAPIAuthentication no -GSSAPIKeyExchange no -GSSAPIDelegateCredentials no -# now we specify the auth methods order we want for manual ssh calls. -# NOTE1: as per the ssh source code, an auth method omitted hereafter -# will not be used, even if set to "yes" above. -# NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitly on command-line (pubkey OR sshpass), so the value -# specified hereafter will be ignored. if you want to force-disable -# a method, set it to "no" in the list above, as those will never be -# overridden by the code. -PreferredAuthentications publickey,keyboard-interactive - -# === LOGIN ### - -# disable escape character use -EscapeChar none - -# detect if a hostkey changed due to DNS spoofing -CheckHostIP yes - -# ignore ssh-agent, only use specified keys (-i) -IdentitiesOnly yes -# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc. -IdentityFile /dev/non/existent/file - -# carry those vars to the other side (includes LC_BASTION) -SendEnv LANG LC_* - -# allow usage of SSHFP DNS records -VerifyHostKeyDNS ask - -# yell if remote hostkey changed -StrictHostKeyChecking ask - -# === SYSTEM === - -# don't hash the users known_hosts files, in the context of a bastion, this adds no security -HashKnownHosts no - -# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies -ServerAliveInterval 57 -ServerAliveCountMax 5 diff --git a/etc/ssh/ssh_config.debian8 b/etc/ssh/ssh_config.debian8 deleted file mode 100644 index 79b8e39..0000000 --- a/etc/ssh/ssh_config.debian8 +++ /dev/null @@ -1,118 +0,0 @@ -# Hardened SSH bastion config -- modify wisely! -# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH -# With modifications where applicable/needed - -# hardened params follow. every non-needed feature is disabled by default, -# following the principle of least rights and least features (more enabled -# features mean a more important attack surface). - -# === FEATURES === - -# disable non-needed sshd features -# mitigates CVE-0216-0778 -UseRoaming no -# other unwanted features -Tunnel no -ForwardAgent no -ForwardX11 no -GatewayPorts no -ControlMaster no - -# === CRYPTOGRAPHY === - -# enforce the use of ssh version 2 protocol, version 1 is disabled. -# all sshd_config options regarding protocol 1 are therefore omitted. -Protocol 2 - -# list of allowed ciphers. -# chacha20-poly1305 is a modern cipher, considered very secure -# aes is still the standard, we prefer gcm cipher mode, but also -# allow ctr cipher mode for compatibility (ctr is considered secure) -# we deny arcfour(rc4), 3des, blowfish and cast -# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc -# known gotchas: -# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED -# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - -# list of allowed message authentication code algorithms. -# etm (encrypt-then-mac) are considered the more secure, we -# prefer umac (has been proven secure) then sha2. -# for older remote servers, fallback to the non-etm version of -# the algorithms. we deny md5 entirely. -# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1 -# Known gotchas: -# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 -# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 -MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 - -# List of allowed key exchange algorithms. -# we prefer curve25519-sha256 which is considered the most modern/secure, -# and still allow diffie hellman with group exchange using sha256 which is -# the most secure dh-based kex. -# we avoid algorithms based on the disputed NIST curves, and anything based -# on sha1. -# known gotchas: -# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL -# - OmniOS 5.11 needs diffie-hellman-group1-sha1 -# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1 -# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - -# === AUTHENTICATION === - -# we allow only public key authentication ... -PubkeyAuthentication yes -# ... not password nor keyboard-interactive -# ... (set to yes if sshpass is to be used) -PasswordAuthentication no -# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code! -ChallengeResponseAuthentication yes -KbdInteractiveAuthentication yes -# ... not host-based -HostbasedAuthentication no -# ... and not gssapi auth. -GSSAPIAuthentication no -GSSAPIKeyExchange no -GSSAPIDelegateCredentials no -# now we specify the auth methods order we want for manual ssh calls. -# NOTE1: as per the ssh source code, an auth method omitted hereafter -# will not be used, even if set to "yes" above. -# NOTE2: the bastion code (namely, ttyrec), will always set the proper -# value explicitly on command-line (pubkey OR sshpass), so the value -# specified hereafter will be ignored. if you want to force-disable -# a method, set it to "no" in the list above, as those will never be -# overridden by the code. -PreferredAuthentications publickey,keyboard-interactive - -# === LOGIN ### - -# disable escape character use -EscapeChar none - -# detect if a hostkey changed due to DNS spoofing -CheckHostIP yes - -# ignore ssh-agent, only use specified keys (-i) -IdentitiesOnly yes -# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc. -IdentityFile /dev/non/existent/file - -# carry those vars to the other side (includes LC_BASTION) -SendEnv LANG LC_* - -# allow usage of SSHFP DNS records -VerifyHostKeyDNS ask - -# yell if remote hostkey changed -StrictHostKeyChecking ask - -# === SYSTEM === - -# don't hash the users known_hosts files, in the context of a bastion, this adds no security -HashKnownHosts no - -# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies -ServerAliveInterval 57 -ServerAliveCountMax 5 diff --git a/etc/ssh/sshd_config.debian7 b/etc/ssh/sshd_config.debian7 deleted file mode 100644 index 0fb35f6..0000000 --- a/etc/ssh/sshd_config.debian7 +++ /dev/null @@ -1,122 +0,0 @@ -# Hardened SSHD bastion config -- modify wisely! -# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH -# With additional restrictions where applicable - -# -lo and -rt users only have local console login -DenyUsers *-rt -DenyUsers *-lo - -# hardened params follow. every non-needed feature is disabled by default, -# following the principle of least rights and least features (more enabled -# features mean a more important attack surface). - -# === FEATURES === - -# disable non-needed sshd features -AllowAgentForwarding no -AllowTcpForwarding no -X11Forwarding no -PermitTunnel no -PermitUserEnvironment no -GatewayPorts no - -# === INFORMATION DISCLOSURE === - -# don't yell to the world that we're running debian, -# this disables the debian string version on the server hello message -DebianBanner no - -# however, display a legal notice for each connection -Banner /etc/ssh/banner - -# don't print the bastion MOTD on connection -PrintMotd no - -# === CRYPTOGRAPHY === - -# enforce the use of ssh version 2 protocol, version 1 is disabled. -# all sshd_config options regarding protocol 1 are therefore omitted. -Protocol 2 - -# only use hostkeys with RSA -HostKey /etc/ssh/ssh_host_rsa_key - -# list of allowed ciphers. -# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure) -# we deny arcfour(rc4), 3des, blowfish and cast -Ciphers aes256-ctr,aes192-ctr,aes128-ctr - -# list of allowed message authentication code algorithms. -# we prefer umac (has been proven secure) then sha2. -# we deny md5 and sha1 -MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 - -# List of allowed key exchange algorithms. -# we allow diffie hellman with group exchange using sha256 which is -# the most secure dh-based kex. -# we avoid algorithms based on the disputed NIST curves, and anything based -# on sha1. -KexAlgorithms diffie-hellman-group-exchange-sha256 - -# === AUTHENTICATION === - -# we allow only public key authentication ... -PubkeyAuthentication yes -# ... not password -PasswordAuthentication no -# ... keyboard interactive (needed for MFA through PAM) -KbdInteractiveAuthentication yes -# ... not kerberos -KerberosAuthentication no -# ... challenge-response (needed for MFA through PAM) -ChallengeResponseAuthentication yes -# ... not host-based -HostbasedAuthentication no -# ... and not gssapi auth. -GSSAPIAuthentication no -GSSAPIKeyExchange no - -# just in case, we also explicitly deny empty passwords -PermitEmptyPasswords no - -# this needs to be set at "yes" to allow PAM keyboard-interactive authentication, -# which is not a security issue because the AuthenticationMethods below force the use of -# either publickey or publickey+keyboard-interactive, hence password-only login is never -# possible, for root or any other account for that matter -PermitRootLogin yes - -# === LOGIN === - -# disconnect after 30 seconds if user didn't log in successfully -LoginGraceTime 30 - -# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode) -MaxSessions 1 - -# maximum concurrent unauth connections to the sshd daemon -MaxStartups 50:30:500 - -# accept LANG and LC_* vars (also includes LC_BASTION) -AcceptEnv LANG LC_* - -# === SYSTEM === - -# sshd log level at verbose in auth facility for auditing purposes -LogLevel VERBOSE -SyslogFacility AUTH - -# check sanity of user HOME dir before allowing user to login -StrictModes yes - -# never use dns (slows down connections) -UseDNS no - -# use PAM facility -UsePAM yes - -# Debian 7 doesn't support the AuthenticationMethods, hence we can't benefit -# from the bastion-nopam group (accountModify --pam-auth-bypass will not work) -#Match Group bastion-nopam -# AuthenticationMethods publickey -#Match All -# AuthenticationMethods publickey,keyboard-interactive:pam diff --git a/etc/ssh/sshd_config.debian8 b/etc/ssh/sshd_config.debian8 deleted file mode 100644 index 3769ecc..0000000 --- a/etc/ssh/sshd_config.debian8 +++ /dev/null @@ -1,146 +0,0 @@ -# Hardened SSHD bastion config -- modify wisely! -# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH -# With additional restrictions where applicable - -# -lo and -rt users only have local console login -DenyUsers *-rt -DenyUsers *-lo - -# hardened params follow. every non-needed feature is disabled by default, -# following the principle of least rights and least features (more enabled -# features mean a more important attack surface). - -# === FEATURES === - -# disable non-needed sshd features -AllowAgentForwarding no -AllowTcpForwarding no -AllowStreamLocalForwarding no -X11Forwarding no -PermitTunnel no -PermitUserEnvironment no -PermitUserRC no -GatewayPorts no - -# === INFORMATION DISCLOSURE === - -# don't yell to the world that we're running debian, -# this disables the debian string version on the server hello message -DebianBanner no - -# however, display a legal notice for each connection -Banner /etc/ssh/banner - -# don't print the bastion MOTD on connection -PrintMotd no - -# === CRYPTOGRAPHY === - -# enforce the use of ssh version 2 protocol, version 1 is disabled. -# all sshd_config options regarding protocol 1 are therefore omitted. -Protocol 2 - -# only use hostkeys with secure algorithms, and omit the ones using NIST curves -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key - -# list of allowed ciphers. -# chacha20-poly1305 is a modern cipher, considered very secure -# aes is still the standard, we prefer gcm cipher mode, but also -# allow ctr cipher mode for compatibility (ctr is still considered secure) -# we deny arcfour(rc4), 3des, blowfish and cast -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - -# list of allowed message authentication code algorithms. -# etm (encrypt-then-mac) are considered the more secure, we -# prefer umac (has been proven secure) then sha2. -# for older ssh client, fallback to the non-etm version of -# the algorithms. -# we deny md5 and sha1 -MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 - -# List of allowed key exchange algorithms. -# we prefer curve25519-sha256 which is considered the most modern/secure, -# and still allow diffie hellman with group exchange using sha256 which is -# the most secure dh-based kex. -# we avoid algorithms based on the disputed NIST curves, and anything based -# on sha1. -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - -# force rekey every 512M of data or 6 hours of connection, whichever comes first -RekeyLimit 512M 6h - -# === AUTHENTICATION === - -# we allow only public key authentication ... -PubkeyAuthentication yes -# ... not password -PasswordAuthentication no -# ... keyboard interactive (needed for MFA through PAM) -KbdInteractiveAuthentication yes -# ... not kerberos -KerberosAuthentication no -# ... challenge-response (needed for MFA through PAM) -ChallengeResponseAuthentication yes -# ... not host-based -HostbasedAuthentication no -# ... and not gssapi auth. -GSSAPIAuthentication no -GSSAPIKeyExchange no - -# just in case, we also explicitly deny empty passwords -PermitEmptyPasswords no - -# this needs to be set at "yes" to allow PAM keyboard-interactive authentication, -# which is not a security issue because the AuthenticationMethods below force the use of -# either publickey or publickey+keyboard-interactive, hence password-only login is never -# possible, for root or any other account for that matter -PermitRootLogin yes - -# === LOGIN === - -# disconnect after 30 seconds if user didn't log in successfully -LoginGraceTime 30 - -# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode) -MaxSessions 1 - -# maximum concurrent unauth connections to the sshd daemon -MaxStartups 50:30:500 - -# accept LANG and LC_* vars (also includes LC_BASTION) -AcceptEnv LANG LC_* - -# === SYSTEM === - -# sshd log level at verbose in auth facility for auditing purposes -LogLevel VERBOSE -SyslogFacility AUTH - -# check sanity of user HOME dir before allowing user to login -StrictModes yes - -# never use dns (slows down connections) -UseDNS no - -# use PAM facility -UsePAM yes - -# === AuthenticationMethods vs potential root OTP vs potential user MFA === -# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case -# on your system, uncomment the next two lines (see -# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication) -#Match User root -# AuthenticationMethods publickey,keyboard-interactive:pam -# Unconditionally skip PAM auth for members of the bastion-nopam group -Match Group bastion-nopam - AuthenticationMethods publickey -# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam -Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional - AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam -# if in one of the mfa groups, use publickey AND pam -Match Group mfa-totp-configd,mfa-password-configd - AuthenticationMethods publickey,keyboard-interactive:pam -# by default, always ask the publickey (no PAM) -Match All - AuthenticationMethods publickey