ã€ç’°å¢ƒã€‘
$ cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
$ ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS 28 May 2019
Cent8 ã® /etc/ssh/sshd_config ã«ã€ŒCiphersã€ã‚’指定ã—ã¦ã‚‚ã€åæ˜ ã•ã‚Œãªã„よ・・・
ã¨ã„ã†ç›¸è«‡ã‚’å—ã‘ãŸã®ã§ã€ã‚„ã£ã¦ã¿ãŸã€‚
インストール後ã€ç‰¹ã«è¨å®šã‚’弄ã£ã¦ã„ãªã„ /etc/ssh/sshd_config ã«ã¦ã€
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
ã®ã‚ˆã†ã«ã„ãã¤ã‹è¨å®šã‚’書ã„ã¦ã¿ãŸãŒã€ã©ã†ã‚‚有効ã«ãªã£ã¦ã„ãªã„。
ã©ã†ã‚‚CentOS 7ã¾ã§ã¨ã¯æ§˜åãŒé•ã†ï¼Ÿ
次ã®ã‚ˆã†ãªæ„Ÿã˜ã§æŽ¥ç¶šã‚’試ã™ã¨ã€sshd_config ã§è¨±å¯ã—ã¦ã„ãªã„Ciphers ã§æŽ¥ç¶šã—ã¦ã—ã¾ã£ãŸã€‚
$ ssh -c aes128-cbc localhost
sshd ã‚’å†èµ·å‹•ã™ã‚‹ã®å¿˜ã‚ŒãŸï¼Ÿã¨ã‹ä¸€çž¬æ€ã£ãŸã‘ã©ã€ãã†ã§ã¯ãªã‹ã£ãŸã®ã§ã€
systemd 周りを見ã¦ã„ãã“ã¨ã«ã—ãŸã€‚
ã¾ãšã¯ã€/usr/lib/systemd/system/sshd.service
[Unit] Description=OpenSSH server daemon Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-keygen.target Wants=sshd-keygen.target [Service] Type=notify EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target
ã§ã‚ã‚Šã€
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ãŒsshdã®èµ·å‹•ã‚³ãƒžãƒ³ãƒ‰ã€‚
プãƒã‚»ã‚¹ã‚’見ã¦ã¿ã‚‹ã¨ã€
# ps aux | grep sshd ・・・ root 2592 0.0 0.3 92968 6860 ? Ss 18:58 0:00 /usr/sbin/sshd -D -oCiphers=[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc -oMACs=[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
ã‚ã€ã™ã‚“ã”ãƒé•·ã„。
å‰è¿°ã®ãƒ•ã‚¡ã‚¤ãƒ«ã«ã‚ã£ãŸã€Œ-D $OPTIONS $CRYPTO_POLICYã€ã®éƒ¨åˆ†ã®ã©ã¡ã‚‰ã‹ãŒé•·ã„訳ã§ã€ã‚‚ã†å°‘ã—見ã¦ã¿ã‚‹ã“ã¨ã«ã€‚
/usr/lib/systemd/system/sshd.service ã®ä¸ã§ã€é–¢ä¿‚ã™ã‚‹ã®ã¯ä»¥ä¸‹ã®éƒ¨åˆ†ã€‚
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
EnvironmentFile ã§æŒ‡å®šã•ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’見ã¦ã¿ã‚‹ã¨ãƒ»ãƒ»ãƒ»
/etc/crypto-policies/back-ends/opensshserver.config ã¯ã€
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
変数å CRYPTO_POLICY も一致ã§ã€å…ˆã»ã©ã®psコマンドã®çµæžœã¨åŒã˜ã€‚
ã“れをよã見るã¨ã€ã€Œ-oCiphers=ã€ã§æŒ‡å®šã•ã‚ŒãŸã‚ªãƒ—ションãŒã‚る。
sshdãŒèµ·å‹•ã™ã‚‹éš›ã€è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆsshd_config)をèªã¿è¾¼ã‚€ã‚‚ã®ã®ã€sshd ã®èµ·å‹•æ™‚ã«ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³ã§æŒ‡å®šã•ã‚ŒãŸã‚ªãƒ—ションã®æ–¹ãŒå„ªå…ˆã•ã‚Œã‚‹ã€‚
従ã£ã¦ã€sshd_config ã« Ciphers ã‚’è¨å®šã—ã¦ã‚‚ã€æœ‰åŠ¹ã«ãªã£ã¦ã„ãªã‹ã£ãŸã€‚
ã‚‚ã†1ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ã€/etc/sysconfig/sshd ã¯ã€
# Configuration file for the sshd service. # The server keys are automatically generated if they are missing. # To change the automatic creation, adjust sshd.service options for # example using systemctl enable [email protected] to allow creation # of DSA key or systemctl mask [email protected] to disable RSA key # creation. # Do not change this option unless you have hardware random # generator and you REALLY know what you are doing SSH_USE_STRONG_RNG=0 # SSH_USE_STRONG_RNG=1 # System-wide crypto policy: # To opt-out, uncomment the following line # CRYPTO_POLICY=
ã¨ãªã£ã¦ã„ã¦ã€CRYPTO_POLICY ã¯ã‚³ãƒ¡ãƒ³ãƒˆè¡Œã«ãªã£ã¦ã„る。
ã¤ã„ã§ã«ã€
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ã«æ›¸ã‹ã‚Œã¦ã„る変数å $OPTIONS ã¯è¦‹å½“ãŸã‚‰ãªã„・・・
ã“ã‚ŒãŒä½•ã‹ã¯åˆ†ã‹ã‚‰ãš(´・ω・`)
ã§ã¯ CRYPTO_POLICY ã£ã¦ä½•ï¼Ÿã¨ã„ã†äº‹ã ã‘ã©ã€èµ¤å¸½ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã•ã‚“ã®Blogã«è©³ã—ã解説ãŒã‚ã‚‹ã®ã§å‚考。
rheb.hatenablog.com
åŽŸå› ã¯åˆ†ã‹ã£ãŸã‘ã©ã€ã©ã†ã‚„ã£ã¦å¯¾å‡¦ã™ã‚‹ï¼Ÿã¨ã„ã†ã®ã¯ã€ä»¥ä¸‹ã®ã„ãšã‚Œã‹ãŒè€ƒãˆã‚‰ã‚Œã‚‹ã€‚
- 方法1)crypto-policies ã‚’ DEFAULT より高セã‚ュリティã¸å¤‰æ›´
- 方法2)/etc/sysconfig/sshd ã« CRYPTO_POLICY= ã¨ç©ºæ–‡å—を指定ã—ã€sshd_config ã®è¨˜è¼‰ã‚’有効ã«ã™ã‚‹
crypto-policies を変更ã™ã‚‹å ´åˆ
ç¾çŠ¶ç¢ºèªã¨è¨å®šå¤‰æ›´ã¯ä»¥ä¸‹ã®é€šã‚Šã€‚
ç¾çŠ¶ç¢ºèª # update-crypto-policies --show è¨å®šå¤‰æ›´ # update-crypto-policies --set FUTURE
/etc/crypto-policies/config ãŒæ›¸ãæ›ã‚るらã—ã„。
crypto-policies を変更後ã€sshd ã‚’å†èµ·å‹•ã—㦠ps コマンド㧠sshd ã®ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³ã‚ªãƒ—ションを確èªã—ã¦ã¿ãŸã€‚
DEFAULTã®å ´åˆ -oCiphers=[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc FIPSã®å ´åˆ -oCiphers=[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc FUTUREã®å ´åˆ -oCiphers=[email protected],[email protected],aes256-ctr,aes256-cbc LEGACYã®å ´åˆ -oCiphers=[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
LEGACY ã ã¨ã€3des ãŒå‡ºã¦ãる。
/etc/sysconfig/sshd ã« CRYPTO_POLICY= ã¨ç©ºæ–‡å—を指定ã—ã€sshd_config ã®è¨˜è¼‰ã‚’有効ã«ã™ã‚‹å ´åˆ
ã“ã¡ã‚‰ã®æ–¹æ³•ã¯ã€Ciphers ã‚’ç´°ã‹ã自由ã«è¨å®šã§ãる。
ã¾ãŸã€ã“ã®æ–¹æ³•ã®å ´åˆã€MACs ã‚„ KexAlgorithms ãªã©ã€$CRYPTO_POLICY ã®å¤‰æ•°ã§æŒ‡å®šã•ã‚Œã¦ã„ãŸé …目も sshd_config ã§è¨å®šã§ãるよã†ã«ãªã‚‹ã€‚
/etc/sysconfig/sshd ã«ã¦
#CRYPTO_POLICY=  ↓ CRYPTO_POLICY=
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
ãªã©ã¨ã—ã€sshd ã‚’å†èµ·å‹•ã€‚
ã„ãšã‚Œã®å ´åˆã‚‚ã€ä»¥ä¸‹ã®ã‚ˆã†ã«å‹•ä½œç¢ºèªã™ã‚‹
$ ssh -c aes128-cbc localhost Unable to negotiate with 127.0.0.1 port 22: no matching cipher found. Their offer: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
ã¤ã„ã§ã«ã€æŒ‡å®šå¯èƒ½ãªæš—å·åŒ–æ–¹å¼ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ç¢ºèªã§ãる。
$ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc [email protected] aes128-ctr aes192-ctr aes256-ctr [email protected] [email protected] [email protected]
