-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting MACs in SSHD config #91
Conversation
README.md
Outdated
"hmac-md5", | ||
"hmac-md5-96", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe drop weak md5 hmacs from the example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call out. And you know, rather than give an explicit list example maybe show how one might use the setting to tweak the default? Is that intended to be supported here @mlacko64 ?
ie: if we consider https://man.openbsd.org/sshd_config#MACs
If the specified list begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified algorithms will be placed at the head of the default set.
I think we'd be able to express surgical "edits" to the defaults - maybe even this would be a model default setting? Something like this:
{
"ssh": {
"macs": [
"-hmac-sha1"
]
}
}
This way, any Bottlerocket settings (ie: other than build time defaults of OpenSSH itself) would be able to augment rather than exhaustively set the list. Settings could even be provided in the model to default remove insecure elements if/when the need arises.
In fact, after chatting with @jpculp I think this might apply to a few of the other "list" settings in ssh
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for comments, I have:
|
@mlacko64, thanks for doing this! I think we can probably go ahead and merge this into an upcoming container release, but would you be willing to prune the commit message beforehand? The top line is probably enough to suffice. |
Added MACs into SSHD configuration
@jpculp sure, I have pruned commit message as you suggested |
Issue number:
#90
Description of changes:
This change adds option to customize MACs for SSH , for example, to disable SHA1 MACs which are reported as deprecated by vulnerability scanner. README.md updated.
Testing done:
Created custom container and tested in my lab cluster, works as expected.
SSHD config contains line:
MACs hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
SSHD server offers just MACs selected by me:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.