[Security] sshd default conf should be hardened


#1

Hello,

I’ve recently purchased the vero 4K and I’m very happy of it :slight_smile: .

I ran some audit tool and found that sshd default configuration could be further hardened.

  1. Root login should be disabled (though root is deactivated)
    PermitRootLogin yes -> PermitRootLogin no

  2. X11 forwarding should be disabled (though X11 is not installed)
    X11Forwarding yes -> X11Forwarding no

  3. Pre-authentication process should be further hardened
    UsePrivilegeSeparation yes -> UsePrivilegeSeparation sandbox
    According to man page sandbox option further restrict syscalls on pre-authentication process.

  4. Disable DSA Keys
    delete HostKey /etc/ssh/ssh_host_dsa_key
    These keys are considered weak and are deprecated by OpenSSH Team (and even disabled at run time)

  5. Use the strongest cypher in priority
    See References since there are a lot of lines to add

  6. Only allow osmc user to log in
    add AllowUsers osmc

I know i’m a bit picky, but since osmc is part of IOT, its security should be examplary (and compliant with security audit tool).

References

Audit Tools


#2

While I agree about hardening in general, but you are aware about:

  1. OSMC doesn’t have a root account available by default
  2. OSMC has no X11 by default
  3. OSMC is not suggesting to open ssh towards the internet

#3

Hello,

I know that root account is not available and that X11 is not installed by default.

Still it costs nothing to add it, and it even add consistency and compliance with security audit tools.

Furthermore, it’s not because OSMC is supposed to be used on a (secure) LAN, that there is no user that won’t put it on a WAN, or that its LAN won’t already compromised (keep in mind that ISP boxes are full of holes …).

I think, the device should be as secure as possible by default and that it should cost to the user to circumvante its security.


#4

Well if you are so eager on security I suggest you post this as a proper pull request on github https://github.com/osmc/osmc


#5

Ah thanks, gonna do it :wink:


#6

I’d be happy to see a PR for this. Some thoughts:

Careful with changes here: they will break older clients.

Not sure about this one. I also am not sure about disabling root login. The root account is disabled currently, so they can’t login as root, but the idea is that if they do enable it with passwd, then they can login straight away.

ForwardX11Trusted instead?

Cheers

Sam


#7

Here it is !

This should be compatible with client from version 5.3, I think it’s old enough (Ubuntu 10.04, Debian 6, Rhel 6).

root should never ever be remotely accessible, this account is way too powerfull. It’s better to use a dedicated user for administration task, the user osmc is here for that.

That’s a client side option and not a server side option.
Keep in mind that X11 was not written with security in mind, so we’d better not trust X11 session and drop as much privilege as possible.


#8

I will continue the discussion on the PR.

Cheers

Sam


#9

I’d prefer that at least tcp port and agent forwarding be configurable (yes/no) through the Osmc settings addon, some people may want to run a personal ftp server or web server accesible from outside, or even set up a ssh tunnel. The options can be disabled by default, to make it safer for the majority of users, I agree.

Yes, VPN should be the way to go, but not all clients or machines support it.


#10

Indeed.

I’m not quite convinced on all of the options proposed in the PR.

I will reply to it in detail shortly

Sam