#2421 Issue `closed`: Expect include files in OpenSSH client (ssh) and server (sshd) configuration¶

Labels: enhancement, fixed / solved / done

OliverO2 opened issue at 2020-06-06 22:13:¶

From the OpenSSH release notes:

OpenSSH 7.3/7.3p1 (2016-08-01):

ssh(1): Add an Include directive for ssh_config(5) files.

OpenSSH 8.2/8.2p1 (2020-02-14):

sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns.

Ubuntu 20.04 LTS with OpenSSH 8.2 uses this directive at the top of its configuration files.

In /etc/ssh/ssh_config: Include /etc/ssh/ssh_config.d/*.conf
In /etc/ssh/sshd_config: Include /etc/ssh/sshd_config.d/*.conf

Where ReaR currently scans, copies or patches such files, it should expect additional settings living in seperate configuration files referenced by the Include directive.

The current manual page states:

/etc/ssh/sshd_config.d/*.conf files are included at the start of the configuration file, so
options set there will override those in /etc/ssh/sshd_config.

So it would be sufficient to insert ReaR overrides at the beginning of a patched configuration file (as it is done currently) without worrying about any duplicate setting later on in any include file or in the main configuration file.

An important detail regarding Match directives is not documented in the manual pages but in this Bugzilla comment:

Included files do not affect the match context of the file including them.

jsmeix commented at 2020-06-08 08:23:¶

@OliverO2 @gdha
do you think this is something that must be done for ReaR 2.6
or can it be done later for ReaR 2.7?

FYI:
SLES15 SP1 and openSUSE Leap 15.1 have openssh-7.9p1 while
SLES15 SP1 and openSUSE Leap 15.2 will have openssh-8.1p1
and openSUSE Tubleweed already has openssh-8.1p1

gdha commented at 2020-06-08 09:25:¶

@OliverO2 @jsmeix As ReaR-2.6 will be used on RedHat 8 and Ubuntu 20 I would pin this issue to release 2.6 if you do not mind?

RedHat 7: openssh-7.4p1-21 and does not have a /etc/ssh/ssh_config.d directory
RedHat 8: openssh-8.0p1-4 and does have /etc/ssh/ssh_config.d/ directory
Fedora 32: openssh-8.3p1-2 and does have /etc/ssh/ssh_config.d/ directory

OliverO2 commented at 2020-06-08 09:32:¶

@jsmeix @gdha The current code works as is on Ubuntu 20.04 as those .d directories are empty as distributed. So I had considered it as an issue to watch for future releases. If I remember correctly, we should be mostly concerned with the code that scans for unprotected SSH private keys as such keys might live in files below /etc/ssh/ssh_config.d in the future.

gdha commented at 2020-06-08 09:38:¶

@OliverO2 @jsmeix RedHat 8 includes the following:

$ cat /etc/ssh/ssh_config.d/05-redhat.conf
# The options here are in the "Match final block" to be applied as the last
# options and could be potentially overwritten by the user configuration
Match final all
        # Follow system-wide Crypto Policy, if defined:
        Include /etc/crypto-policies/back-ends/openssh.config

        GSSAPIAuthentication yes

# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes

# Send locale-related environment variables
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS

# Uncomment this if you want to use .local domain
# Host *.local

$ cat /etc/crypto-policies/back-ends/openssh.config
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
GSSAPIKexAlgorithms gss-gex-sha1-,gss-group14-sha1-
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
CASignatureAlgorithms rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa

OliverO2 commented at 2020-06-08 09:51:¶

The RedHat 8 configuration looks Interesting. Two levels of Include files.

If you'd like to tackle this, it would probably be safest to

scan and interpret the include directives (which may contain glob expressions) recursively,
copy the included files onto the recovery system,
scan included ssh config files for unprotected private keys.

To me, it looks like there is no need to change patching sshd_config done by usr/share/rear/build/default/500_ssh_setup.sh as the current code works properly even in the presence of included files.

(Note that you cannot just concatenate included files to create a new configuration as this would change Match contexts and result in different semantics.)

jsmeix commented at 2020-06-08 11:55:¶

Regarding
https://github.com/rear/rear/issues/2421#issuecomment-640488807

Via https://github.com/rear/rear/pull/2422
I overhauled how SSH config files are parsed for IdentityFile values
to find (and remove) unprotected SSH keys in the recovery system.
Now find ./etc/ssh should ensure that SSH 'Include' config files
e.g. in /etc/ssh/ssh_config.d/ are also parsed.

jsmeix commented at 2020-06-08 12:11:¶

Regarding "copy the included files onto the recovery system" in
https://github.com/rear/rear/issues/2421#issuecomment-640499017

In usr/share/rear/rescue/default/500_ssh.sh we have (excerpts):

if is_true "$SSH_FILES" ; then
    ...
    copy_as_is_ssh_files=( /etc/s[s]h ... )
...
... COPY_AS_IS+=( "${copy_as_is_ssh_files[@]}" )

so with explicit SSH_FILES="yes" the user can get
all below /etc/ssh copied into his recovery system
(including sensitive SSH files therein).

jsmeix commented at 2020-06-09 09:42:¶

With https://github.com/rear/rear/pull/2422 merged the part
about "the code that scans for unprotected SSH private keys" in
https://github.com/rear/rear/issues/2421#issuecomment-640488807
should now be fixed.

OliverO2 commented at 2020-06-09 13:47:¶

I'd say this issue can be closed.

The patching code is still correct. For recent OpenSSH versions, we would no longer need to uncomment overridden settings which appear later in the configuration file, as only the first setting rules. However, older versions of sshd might see things differently and possibly complain about multiple definitions of the same setting. So for now I'd say it is best if we leave it at that.

jsmeix commented at 2020-06-15 07:48:¶

@OliverO2
thank you for attentive issue report and your help and your checks
to have things properly adapted in ReaR for recent OpenSSH versions.

[Export of Github issue for rear/rear.]

#2421 Issue closed: Expect include files in OpenSSH client (ssh) and server (sshd) configuration¶