Manually merge PR132 to tune SFTP security settings for modern OS versions and try harder to mitigate Terrapin issue on some legacy systems

git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6149 b75ad72c-e7d7-11dd-a971-7dbc132099af

Author: jonasbardino

mig/install/openssh-MiG-sftp-subsys-template.conf

@@ -38,6 +38,7 @@ HostKey __MIG_CERTS__/__SFTP_SUBSYS_ADDRESS__/server.key
 
 # IMPORTANT: these are *generated* hardened values based on generateconf
 # invocation. Any permanent changes need to be made there.
+HostKeyAlgorithms __OPENSSH_HOSTKEYALGOS__
 KexAlgorithms __OPENSSH_KEXALGOS__
 Ciphers __OPENSSH_CIPHERS__
 MACs __OPENSSH_MACS__

mig/server/grid_sftp.py

@@ -87,8 +87,9 @@
 from mig.shared.base import invisible_path, force_utf8, force_unicode
 from mig.shared.conf import get_configuration_object
 from mig.shared.defaults import keyword_auto, STRONG_SSH_KEXALGOS, \
-    STRONG_SSH_CIPHERS, STRONG_SSH_MACS, STRONG_SSH_LEGACY_KEXALGOS, \
-    STRONG_SSH_LEGACY_MACS
+    STRONG_SSH_CIPHERS, STRONG_SSH_MACS, LEGACY_SSH_KEXALGOS, \
+    LEGACY_SSH_CIPHERS, LEGACY_SSH_MACS, FALLBACK_SSH_KEXALGOS, \
+    FALLBACK_SSH_CIPHERS, FALLBACK_SSH_MACS
 from mig.shared.fileio import check_write_access, user_chroot_exceptions, \
     read_file
 from mig.shared.gdp.all import project_open, project_close, project_log
@@ -1518,59 +1519,85 @@ def accept_client(client, addr, root_dir, host_rsa_key, conf={}):
                                    default_max_packet_size=max_packet_size)
     # Restrict transport to strong ciphers+kex+digests used in OpenSSH
     transport_security = transport.get_security_options()
-    recommended_ciphers = STRONG_SSH_CIPHERS.split(',')
+    strong_ciphers = STRONG_SSH_CIPHERS.split(',')
+    legacy_ciphers = LEGACY_SSH_CIPHERS.split(',')
+    fallback_ciphers = FALLBACK_SSH_CIPHERS.split(',')
     available_ciphers = transport_security.ciphers
-    strong_ciphers = [i for i in recommended_ciphers if i in available_ciphers]
-    # logger.debug("TLS ciphers available %s, used %s" % (available_ciphers,
-    #                                                    strong_ciphers))
-    if strong_ciphers:
-        transport_security.ciphers = strong_ciphers
+    best_ciphers = [i for i in strong_ciphers if i in available_ciphers]
+    medium_ciphers = [i for i in legacy_ciphers if i in available_ciphers]
+    weak_ciphers = [i for i in fallback_ciphers if i in available_ciphers]
+    # logger.debug("TLS ciphers available %s: best %s, medium %s, weak %s" %
+    #              (available_ciphers, best_ciphers, medium_ciphers, weak_ciphers))
+    if best_ciphers:
+        # logger.debug("Using only strong ciphers: %s" %
+        #             ', '.join(best_ciphers))
+        transport_security.ciphers = best_ciphers
+    elif medium_ciphers:
+        logger.info("Rely on best available legacy ciphers: %s" %
+                    ', '.join(medium_ciphers))
+        transport_security.ciphers = medium_ciphers
+    elif weak_ciphers:
+        logger.warning("Force best available weak ciphers: %s" %
+                       ', '.join(weak_ciphers))
+        transport_security.ciphers = weak_ciphers
     else:
-        logger.warning("No strong TLS ciphers available!")
-        logger.info("You need a recent paramiko for best security")
+        logger.warning("No safe TLS ciphers available!")
+        logger.info("You need a modern paramiko for proper security")
     # NOTE: paramiko doesn't yet implement strong modern kex algos - use legacy
     # A number of paramiko tickets indicate plans and interest for adding the
     # strong curve25519-sha256@libssh.org eventually, but progress looks
     # stalled. Until then our best alternative appears to be the legacy
     # diffie-hellman-group-exchange-sha256 fallback, which should be safe as
     # long as the moduli size tuning of e.g. ssh-audit is applied:
     # http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_16-002_Weaknesses%20in%20Diffie-Hellman%20Key%20v1_0.pdf
-    recommended_kex = STRONG_SSH_KEXALGOS.split(',')
-    fallback_kex = STRONG_SSH_LEGACY_KEXALGOS.split(',')
+    strong_kex = STRONG_SSH_KEXALGOS.split(',')
+    legacy_kex = LEGACY_SSH_KEXALGOS.split(',')
+    fallback_kex = FALLBACK_SSH_KEXALGOS.split(',')
     available_kex = transport_security.kex
-    strong_kex = [i for i in recommended_kex if i in available_kex]
-    medium_kex = [i for i in fallback_kex if i in available_kex]
-    # logger.debug("TLS kex available %s, used %s (or fallback to %s)" %
-    #             (available_kex, strong_kex, medium_kex))
-    if strong_kex:
-        # logger.debug("Using only strong key exchange algorithms: %s" %
-        #             ', '.join(strong_kex))
-        transport_security.kex = strong_kex
+    best_kex = [i for i in strong_kex if i in available_kex]
+    medium_kex = [i for i in legacy_kex if i in available_kex]
+    weak_kex = [i for i in fallback_kex if i in available_kex]
+    # logger.debug("TLS kex available %s: best %s, medium %s, weak %s" %
+    #              (available_kex, best_kex, medium_kex, weak_kex))
+    if best_kex:
+        # logger.debug("Using only strong kex algorithms: %s" %
+        #             ', '.join(best_kex))
+        transport_security.kex = best_kex
     elif medium_kex:
-        # logger.debug("Using only medium strength key exchange algorithms: %s" %
-        #             ', '.join(medium_kex))
+        logger.info("Rely on best available legacy kex algorithms: %s" %
+                    ', '.join(medium_kex))
         transport_security.kex = medium_kex
+    elif weak_kex:
+        logger.warning("Force best available weak kex algorithms: %s" %
+                       ', '.join(weak_kex))
+        transport_security.kex = weak_kex
     else:
-        logger.warning("No strong TLS key exchange algorithm available!")
-        logger.info("You need a recent paramiko for best security")
-    recommended_digests = STRONG_SSH_MACS.split(',')
-    fallback_digests = STRONG_SSH_LEGACY_MACS.split(',')
+        logger.warning("No safe TLS key exchange algorithm available!")
+        logger.info("You need a modern paramiko for proper security")
+    strong_digests = STRONG_SSH_MACS.split(',')
+    legacy_digests = LEGACY_SSH_MACS.split(',')
+    fallback_digests = FALLBACK_SSH_MACS.split(',')
     available_digests = transport_security.digests
-    strong_digests = [i for i in recommended_digests if i in available_digests]
-    medium_digests = [i for i in fallback_digests if i in available_digests]
-    # logger.debug("TLS digests available %s, used %s (or fallback to %s)" %
-    #             (available_digests, strong_digests, medium_digests))
-    if strong_digests:
-        # logger.debug("Using only strong message auth codes: %s" %
-        #             ', '.join(strong_digests))
-        transport_security.digests = strong_digests
+    best_digests = [i for i in strong_digests if i in available_digests]
+    medium_digests = [i for i in legacy_digests if i in available_digests]
+    weak_digests = [i for i in fallback_digests if i in available_digests]
+    # logger.debug("TLS digests available %s: best %s, medium %s, weak %s" %
+    #              (available_digests, best_digests, medium_digests, weak_digests))
+    if best_digests:
+        # logger.debug("Using only strong digests: %s" %
+        #             ', '.join(best_digests))
+        transport_security.digests = best_digests
     elif medium_digests:
-        # logger.debug("Using only medium strength message auth codes: %s" %
-        #             ', '.join(medium_digests))
+        logger.info("Rely on best available legacy digests: %s" %
+                    ', '.join(medium_digests))
         transport_security.digests = medium_digests
+    elif weak_digests:
+        logger.warning("Force best available weak digests: %s" %
+                       ', '.join(weak_digests))
+        transport_security.digests = weak_digests
     else:
-        logger.warning("No strong TLS digest algorithm available!")
-        logger.info("You need paramiko 1.16 or later for best security")
+        logger.warning("No safe TLS digest algorithm available!")
+        logger.info("You need a modern paramiko for proper security")
 
     # Default forces re-keying after every 512MB or same number of packets.
     # We bump that to reduce the slowing effect of those: it's a security

mig/shared/defaults.py

@@ -451,33 +451,41 @@
 # TODO: add curve 'X25519' as first choice once we reach openssl-1.1?
 STRONG_TLS_CURVES = "prime256v1:secp384r1:secp521r1"
 
-# Strong SSH key-exchange (Kex), cipher and message auth code (MAC) settings to
-# allow in OpenSSH and native Paramiko SFTP daemons (on OpenSSH format).
+# SSH hostkey, key-exchange (Kex), cipher and message auth code (MAC) settings
+# to allow in OpenSSH and native Paramiko SFTP daemons (on OpenSSH format).
 # NOTE: harden in line with Mozilla recommendations for modern versions:
 # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Configuration
 # Additional hardening based on https://github.com/arthepsy/ssh-audit
 # Please note that the DH GroupX KexAlgorithms require OpenSSH 7.3+, but that
 # older versions can relatively safely fall back to instead use the
 # diffie-hellman-group-exchange-sha256 as long as the moduli tuning from
 # https://infosec.mozilla.org/guidelines/openssh is applied.
-# Tested to work with popular recent clients on the main platforms:
+# NOTE: DH group14 may also have weak modulus so leave it out.
+# Tested to work with popular clients on the main platforms:
 # OpenSSH-6.6.1+, LFTP-4.4.13+, FileZilla-3.24+, WinSCP-5.13.3+ and PuTTY-0.70+
-# NOTE: CentOS-6 still comes with OpenSSH-5.3 without strong Kex+MAC support
-# thus it's necessary to fake legacy ssh version to support any such clients.
-STRONG_SSH_KEXALGOS = "curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512"
-BEST_SSH_LEGACY_KEXALGOS = "curve25519-sha256@libssh.org"
-SAFE_SSH_LEGACY_KEXALGOS = "diffie-hellman-group-exchange-sha256"
-STRONG_SSH_LEGACY_KEXALGOS = ",".join([BEST_SSH_LEGACY_KEXALGOS,
-                                       SAFE_SSH_LEGACY_KEXALGOS])
+# NOTE: CentOS 7 comes with OpenSSH-7.4 with medium Kex+MAC support
+# but it's necessary to fake legacy ssh version to support older clients.
+# NOTE: ssh-rsa is the deprecated SHA1 based RSA host key exchange. Rely on the
+# modern rsa-sha2-(512|256) algorithms instead where available. Unfortunately
+# ssh-rsa itself cannot be removed on legacy systems without also removing the
+# modern SHA256 versions, too. So keep it last and let client pick best there.
+STRONG_SSH_HOSTKEYALGOS = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256"
+LEGACY_SSH_HOSTKEYALGOS = ",".join([STRONG_SSH_HOSTKEYALGOS, "ssh-rsa"])
+FALLBACK_SSH_HOSTKEYALGOS = LEGACY_SSH_HOSTKEYALGOS
+STRONG_SSH_KEXALGOS = "curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512"
+# NOTE: fall back to relatively safe DH group-exchange-sha256 on old paramiko etc.
+LEGACY_SSH_KEXALGOS = ",".join([STRONG_SSH_KEXALGOS,
+                                "diffie-hellman-group-exchange-sha256"])
+FALLBACK_SSH_KEXALGOS = LEGACY_SSH_KEXALGOS
 STRONG_SSH_CIPHERS = "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
-# NOTE: strong cipher support go way back - just reuse
-STRONG_SSH_LEGACY_CIPHERS = BEST_SSH_LEGACY_CIPHERS = SAFE_SSH_LEGACY_CIPHERS = STRONG_SSH_CIPHERS
+# NOTE: avoid chacha20-poly1305@openssh.com to mitigate Terrapin issue on old servers
+LEGACY_SSH_CIPHERS = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+FALLBACK_SSH_CIPHERS = LEGACY_SSH_CIPHERS
 STRONG_SSH_MACS = "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com"
-# NOTE: extend strong MACS with the best possible alternatives on old paramiko
+LEGACY_SSH_MACS = STRONG_SSH_MACS
+# NOTE: fall back to safe MACS with the best possible alternatives on ancient paramiko
 #       to avoid falling back to really bad ones
-BEST_SSH_LEGACY_MACS = STRONG_SSH_MACS
-SAFE_SSH_LEGACY_MACS = "hmac-sha2-512,hmac-sha2-256"
-STRONG_SSH_LEGACY_MACS = ",".join([BEST_SSH_LEGACY_MACS, SAFE_SSH_LEGACY_MACS])
+FALLBACK_SSH_MACS = ",".join([LEGACY_SSH_MACS, "hmac-sha2-512,hmac-sha2-256"])
 
 # Detect and ban cracking attempts and unauthorized vulnerability scans
 # A pattern to match usernames unambiguously identifying cracking attempts

mig/shared/install.py

@@ -52,10 +52,12 @@
 
 from mig.shared.defaults import default_http_port, default_https_port, \
     auth_openid_mig_db, auth_openid_ext_db, MIG_BASE, STRONG_TLS_CIPHERS, \
-    STRONG_TLS_CURVES, STRONG_SSH_KEXALGOS, STRONG_SSH_LEGACY_KEXALGOS, \
-    STRONG_SSH_CIPHERS, STRONG_SSH_LEGACY_CIPHERS, STRONG_SSH_MACS, \
-    STRONG_SSH_LEGACY_MACS, CRACK_USERNAME_REGEX, CRACK_WEB_REGEX, \
-    keyword_any, keyword_auto
+    STRONG_TLS_CURVES, STRONG_SSH_HOSTKEYALGOS, STRONG_SSH_KEXALGOS, \
+    STRONG_SSH_CIPHERS, STRONG_SSH_MACS, LEGACY_SSH_HOSTKEYALGOS, \
+    LEGACY_SSH_KEXALGOS, LEGACY_SSH_CIPHERS, LEGACY_SSH_MACS, \
+    FALLBACK_SSH_HOSTKEYALGOS, FALLBACK_SSH_KEXALGOS, FALLBACK_SSH_CIPHERS, \
+    FALLBACK_SSH_MACS, CRACK_USERNAME_REGEX, CRACK_WEB_REGEX, keyword_any, \
+    keyword_auto
 from mig.shared.compat import ensure_native_string
 from mig.shared.fileio import read_file, read_file_lines, write_file, \
     write_file_lines
@@ -1134,16 +1136,24 @@ def _generate_confs_prepare(
     user_dict['__APACHE_CURVES__'] = STRONG_TLS_CURVES
 
     # We use raw string comparison here which seems to work alright for X.Y.Z
-    if user_dict['__OPENSSH_VERSION__'] >= "7.3":
-        # Use current strong Kex/Cipher/MAC settings for openssh >=7.3
+    if user_dict['__OPENSSH_VERSION__'] >= "8.0":
+        # Use current strong HostKey/Kex/Cipher/MAC settings for openssh >=8.0
+        user_dict['__OPENSSH_HOSTKEYALGOS__'] = STRONG_SSH_HOSTKEYALGOS
         user_dict['__OPENSSH_KEXALGOS__'] = STRONG_SSH_KEXALGOS
         user_dict['__OPENSSH_CIPHERS__'] = STRONG_SSH_CIPHERS
         user_dict['__OPENSSH_MACS__'] = STRONG_SSH_MACS
+    elif user_dict['__OPENSSH_VERSION__'] >= "7.4":
+        # Fall back to best legacy HostKey/Kex/Cipher/MAC for openssh >=7.4
+        user_dict['__OPENSSH_HOSTKEYALGOS__'] = LEGACY_SSH_HOSTKEYALGOS
+        user_dict['__OPENSSH_KEXALGOS__'] = LEGACY_SSH_KEXALGOS
+        user_dict['__OPENSSH_CIPHERS__'] = LEGACY_SSH_CIPHERS
+        user_dict['__OPENSSH_MACS__'] = LEGACY_SSH_MACS
     else:
-        # Fall back to legacy Kex/Cipher/MAC for openssh <7.3
-        user_dict['__OPENSSH_KEXALGOS__'] = STRONG_SSH_LEGACY_KEXALGOS
-        user_dict['__OPENSSH_CIPHERS__'] = STRONG_SSH_LEGACY_CIPHERS
-        user_dict['__OPENSSH_MACS__'] = STRONG_SSH_LEGACY_MACS
+        # Fall back to best available HostKey/Kex/Cipher/MAC for openssh <7.4
+        user_dict['__OPENSSH_HOSTKEYALGOS__'] = FALLBACK_SSH_HOSTKEYALGOS
+        user_dict['__OPENSSH_KEXALGOS__'] = FALLBACK_SSH_KEXALGOS
+        user_dict['__OPENSSH_CIPHERS__'] = FALLBACK_SSH_CIPHERS
+        user_dict['__OPENSSH_MACS__'] = FALLBACK_SSH_MACS
 
     # We know that login with one of these common usernames is a password
     # cracking attempt since our own username format differs.

tests/fixture/confs-stdlocal/sshd_config-MiG-sftp-subsys

@@ -38,8 +38,9 @@ HostKey /home/mig/certs//server.key
 
 # IMPORTANT: these are *generated* hardened values based on generateconf
 # invocation. Any permanent changes need to be made there.
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
 
 # Logging