[Ach] More OpenSSH Hardening

Axel Hübl axel.huebl at web.de
Wed Jan 7 12:09:07 CET 2015


On 07.01.2015 08:51, Sven Kieske wrote:
> On 07.01.2015 02:48, Axel Hübl wrote:
>> Hi,
> 
>> I just found
>> https://stribika.github.io/2015/01/04/secure-secure-shell.html
> 
>> with quite clear explanations.
> 
>> Especially I didn't realize there is a /etc/ssh/moduli file for the
>> DH params in OpenSSH - we might want to add that, too.
> 
> This part is very insecure on systems with multiple accounts
> as everyone can write to /tmp/ , resulting in an overwritten file
> by a third party:
> 
>> ssh-keygen -G /tmp/moduli -b 4096 ssh-keygen -T /etc/ssh/moduli -f
>> /tmp/moduli
> 
> And this person cares about security..

For me (debian linux),
  ssh-keygen -G /tmp/moduli -b 4096

creates a -rw-r--r-- file in /tmp/ with my ownership. So other users
should not be able to overwrite that. Did I miss your point?

An other minor is that restarting a ssh-server should not harm existing
connections at all, as nervously stated in the last paragraph.

nevertheless, let's focus on the interesting points, we can provide
feedback to the other parts if someone feels to.

Axel

> 
> 
> kind regards
> 
> Sven
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/d0c4348c/attachment.sig>


More information about the Ach mailing list