PR#69: Update Systemd security settings - rpms/openssh

rpms / openssh

#69 Update Systemd security settings

Opened 2 months ago by sundaram. Modified 2 months ago

rpms/ sundaram/openssh rawhide into rawhide

Update Systemd security settings

Rahul Sundaram • 2 months ago

afdf4b2

openssh.spec

file modified

+5 -2

		`@@ -54,7 +54,7 @@`
		`Summary: An open source implementation of SSH protocol version 2`
		`Name: openssh`
		`Version: %{openssh_ver}`
		`- Release: %{openssh_rel}%{?dist}.2`
		`+ Release: %{openssh_rel}%{?dist}.3`
		`URL: http://www.openssh.com/portable.html`
		`#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/`
		`Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz`
		`@@ -303,7 +303,7 @@`
		`%package -n pam_ssh_agent_auth`
		`Summary: PAM module for authentication with ssh-agent`
		`Version: %{pam_ssh_agent_ver}`
		`- Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2`
		`+ Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.3`
		`License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL`

		`%description`
		`@@ -739,6 +739,9 @@`
		`%endif`

		`%changelog`
		`+ * Mon Mar 11 2024 Rahul Sundaram <sundaram@fedoraproject.org> - 9.6p1-1.3`
		`+ - Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening`
		`+`
		`* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.6p1-1.2`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild`

sshd.service

file modified

+20

		`@@ -15,6 +15,26 @@`
		`KillMode=process`
		`Restart=on-failure`
		`RestartSec=42s`
		`+ DevicePolicy=closed`
dbelyavs commented 2 months ago This is definitely too strict and breaks chroot scenarios.
		`+ KeyringMode=private`
		`+ LockPersonality=yes`
		`+ MemoryDenyWriteExecute=yes`
		`+ NoNewPrivileges=no`
		`+ PrivateDevices=yes`
		`+ PrivateTmp=no`
		`+ ProtectClock=yes`
		`+ ProtectControlGroups=yes`
		`+ ProtectHome=no`
dbelyavs commented 2 months ago I commented the lines below to see what exactly causes problems
		`+ ProtectHostname=yes`
		`+ ProtectKernelLogs=yes`
		`+ ProtectKernelModules=yes`
		`+ ProtectKernelTunables=yes`
		`+ ProtectProc=invisible`
		`+ ProtectSystem=yes`
		`+ ProcSubset=pid`
		`+ RestrictRealtime=yes`
		`+ RestrictSUIDSGID=yes`
		`+ SystemCallArchitectures=native`

		`[Install]`
		`WantedBy=multi-user.target`

sshd@.service

file modified

+20

		`@@ -11,3 +11,23 @@`
		`EnvironmentFile=-/etc/sysconfig/sshd`
		`ExecStart=-/usr/sbin/sshd -i $OPTIONS`
		`StandardInput=socket`
		`+ DevicePolicy=closed`
		`+ KeyringMode=private`
		`+ LockPersonality=yes`
		`+ MemoryDenyWriteExecute=yes`
		`+ NoNewPrivileges=no`
		`+ PrivateDevices=yes`
		`+ PrivateTmp=no`
		`+ ProtectClock=yes`
		`+ ProtectControlGroups=yes`
		`+ ProtectHome=no`
		`+ ProtectHostname=yes`
		`+ ProtectKernelLogs=yes`
		`+ ProtectKernelModules=yes`
		`+ ProtectKernelTunables=yes`
		`+ ProtectProc=invisible`
		`+ ProtectSystem=yes`
		`+ ProcSubset=pid`
		`+ RestrictRealtime=yes`
		`+ RestrictSUIDSGID=yes`
		`+ SystemCallArchitectures=native`

sundaram commented 2 months ago

Hello, As part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening which has been approved for Fedora 40, I am working on updating Systemd services to add additional hardening settings, please review this PR and let me know if you have any feedback. Everything here works with the default OpenSSH configuration.