Closed
Bug 1240293
Opened 9 years ago
Closed 9 years ago
Tighten down some OpenSSH default settings
Categories
(Firefox Build System :: MozillaBuild, task)
Firefox Build System
MozillaBuild
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: RyanVM, Assigned: RyanVM)
References
()
Details
Attachments
(1 file)
(deleted),
patch
|
kang
:
review+
|
Details | Diff | Splinter Review |
Needed to work around CVE-2016-0777. The global config lives in /etc/ssh/ssh_config.
Assignee | ||
Comment 1•9 years ago
|
||
Going to use this as an opportunity to tighten down some other settings as well, like HashKnownHosts.
Summary: Add "UseRoaming no" to the global OpenSSH config → Tighten down some OpenSSH default settings
Assignee | ||
Comment 2•9 years ago
|
||
I'm going off https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28OpenSSH_5.3.29 for recommended defaults.
Assignee | ||
Comment 3•9 years ago
|
||
Not that we have many good options with version 5.4. Any recommendations beyond these, Guillaume?
Attachment #8708685 -
Flags: review?(gdestuynder)
Comment on attachment 8708685 [details] [diff] [review]
add some default openssh settings
Review of attachment 8708685 [details] [diff] [review]:
-----------------------------------------------------------------
TLDR: r+
Longer version:
The recommendations from the wiki page are accurate for OpenSSH 5.3 as a server, albeit your link points to the SSH daemon configuration (/etc/ssh/sshd_config i.e. sshd/server). While it doesn't spell out the usage of OpenSSH 5.4 as a client (it has settings for recent clients only), OpenSSH 5.4 has the addition of roaming in particular (which is affected by CVE-2016-0777), which you have cared for in your config (r+!).
This is only necessary when SSH is used as a client though. We have audited the current setups to the best of our knowledge (ie when we get full reporting from the host/it's running audisp-json + mig).
For reference, SSH client (/etc/ssh/ssh_config, i.e. ssh/client) recommended settings are at https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Intermediate_.28connects_to_older_servers.29 (Again since you have OpenSSH 5.4 this does not support all options and your config looks good to me).
Finally, the best would be to upgrade to a newer OpenSSH/distribution of course. If using IT-provided machines, AFAIK CentOS 7 will be available at the end of this quarter as per https://bugzilla.mozilla.org/show_bug.cgi?id=1019782
Attachment #8708685 -
Flags: review?(gdestuynder) → review+
Assignee | ||
Comment 5•9 years ago
|
||
Thanks for double-checking. Unfortunately, we're pretty much stuck on version 5.4 until we're able to drop MSYS1 in favor of msys2, which is probably a ways out still. Unless you know of any alternate Windows options? I know Microsoft has been working on one as well, but it's still considered pre-release.
https://hg.mozilla.org/mozilla-build/rev/8f49cd85c7ac
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 6•9 years ago
|
||
plink.exe (from PuTTY) can kinda/sorta be used as an ssh client stand-in for many use cases.
Updated•2 years ago
|
Product: mozilla.org → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•