folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openssh: Use strong MACs and ciphers for ssh/sshd (#2857) 

By default, ssh and sshd are configured to allow using weak hashing
algorithms like MD5 and SHA1. They are also configured to use weak
encryption ciphers such as 3DES and CBC mode ciphers.

Configure ssh and sshd to use strong MAC and encryption ciphers by
default.

Strong MACs are hmac-sha2 (hmac-sha2-256, hmac-sha2-512)
Strong ciphers are aes128-ctr, aes192-ctr, aes256-ctr.

Signed-off-by: Chris Co <chrco@microsoft.com>
This commit is contained in:
Christopher Co 2022-04-22 22:56:25 -07:00 committed by GitHub
parent ef8b1faf5c
commit 4c70113d49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
SPECS/openssh/openssh.spec
View File

@ -3,7 +3,7 @@
Summary: Free version of the SSH connectivity tools
Name: openssh
Version: %{openssh_ver}
Release: 5%{?dist}
Release: 6%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
@ -144,6 +144,13 @@ sed -i 's/#PrintMotd yes/PrintMotd no/' %{buildroot}%{_sysconfdir}/ssh/sshd_conf
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/' %{buildroot}%{_sysconfdir}/ssh/sshd_config
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 120/' %{buildroot}%{_sysconfdir}/ssh/sshd_config
# Configure to use strong MACs
echo "MACs hmac-sha2-512,hmac-sha2-256" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
echo "MACs hmac-sha2-512,hmac-sha2-256" >> %{buildroot}%{_sysconfdir}/ssh/ssh_config
# Configure to use strong encryption ciphers
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> %{buildroot}%{_sysconfdir}/ssh/sshd_config
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> %{buildroot}%{_sysconfdir}/ssh/ssh_config
install -D -m644 %{SOURCE1} %{buildroot}/lib/systemd/system/sshd.service
install -D -m644 %{SOURCE2} %{buildroot}/lib/systemd/system/sshd-keygen.service
install -m755 contrib/ssh-copy-id %{buildroot}/%{_bindir}/
@ -244,6 +251,10 @@ fi
%{_mandir}/man8/ssh-sk-helper.8.gz
%changelog
* Fri Apr 22 2022 Chris Co <chrco@microsoft.com> - 8.8p1-6
- Use strong MACs for ssh and sshd
- Use strong encryption ciphers for ssh and sshd
* Mon Apr 11 2022 Andy Caldwell <andycaldwell@microsoft.com> - 8.8p1-5
- Remove socket-triggering for SSHd due to conflicts with non-triggered service and potential DoS vector