From ad54ed070b6b00f93c264d988a0ab91781a039f3 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Thu, 6 Mar 2014 00:00:38 -0800 Subject: [PATCH] sshd: apply key lengths and dsa setting to sshd keys If $disable_dsa is set do not generate or configure a DSA sshd HostKey for the chroot jail sshd. Use the $rsakeylength value when generating the sshd rsa HostKey for the chroot jail sshd. --- Girocco/Config.pm | 9 +++++++++ jailsetup.sh | 19 +++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/Girocco/Config.pm b/Girocco/Config.pm index d9c43b7..ad6fc86 100644 --- a/Girocco/Config.pm +++ b/Girocco/Config.pm @@ -95,6 +95,7 @@ our $manage_users = 1; # DSA keys that satisfy the restriction (but RSA keys should not be a problem). # Note that no matter what setting is specified here keys smaller than 512 bits # will never be allowed via the reguser.cgi/edituser.cgi interface. +# RECOMMENDED VALUE: 2048 (ok) or 3072 (better) our $min_key_length = 1024; # Disable DSA public keys? @@ -110,6 +111,11 @@ our $min_key_length = 1024; # to something higher such as 3072 or 4096. This setting is only checked when # new keys are added so setting it/increasing it will not affect existing keys. # There is no way to disable DSA keys in the OpenSSH server config file itself. +# If this is set to 1, no ssh_host_dsa_key will be generated or used with the +# sshd running in the jail (but if the sshd_config has already been generated +# in the jail, it must be removed and 'sudo make install' run again or otherwise +# the sshd_config needs to be edited by hand for the change to take effect). +# RECOMMENDED VALUE: 1 our $disable_dsa = 0; # Enable the special 'mob' user if set to 'mob' @@ -229,6 +235,8 @@ our $mobuserkey = undef; # The values 2048, 3072 and 4096 are expected to be compatible with all clients. # Note that OpenSSL has no problem with > 4096 or non-multiple of 8 lengths. # See also the $min_key_length setting above to restrict user key sizes. +# This value is also used when generating the ssh_host_rsa_key for the chroot jail sshd. +# RECOMMENDED VALUE: 3072 our $rsakeylength = undef; @@ -425,6 +433,7 @@ $mobuserkey = "$certsdir/girocco_mob_user_key.pem" if $httpspushurl && $mob && ! our $mobpushurl = $pushurl; $mobpushurl =~ s,^ssh://,ssh://mob@,i if $mobpushurl; $disable_dsa = 1 unless $pushurl; +$disable_dsa = $disable_dsa ? 1 : ''; our $httpsdnsname = ($httpspushurl =~ m,https://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $httpspushurl; ($mirror or $push) or die "Girocco::Config: neither \$mirror nor \$push is set?!"; (not $push or ($pushurl or $httpspushurl or $gitpullurl or $httppullurl)) or die "Girocco::Config: no pull URL is set"; diff --git a/jailsetup.sh b/jailsetup.sh index 0608ea5..e270167 100755 --- a/jailsetup.sh +++ b/jailsetup.sh @@ -212,7 +212,13 @@ PermitRootLogin no UsePrivilegeSeparation yes HostKey /etc/ssh/ssh_host_rsa_key +EOT +if [ -z "$cfg_disable_dsa" ]; then + cat >>etc/ssh/sshd_config <>etc/ssh/sshd_config </dev/null; then + bits="$cfg_rsakeylength" + fi + yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key +fi +if [ -z "$cfg_disable_dsa" -a ! -s etc/ssh/ssh_host_dsa_key ]; then + # ssh-keygen can only create 1024 bit DSA keys + yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key fi # Set the final permissions on the binaries and perform any final twiddling -- 2.11.4.GIT