The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,440 other followers

openSUSE – Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*) – be sure to review your openssh config!

Posted by jpluimers on 2018/01/20

Before upgrading Tumbleweed this week, you need to review your openssh config.

This is not mentioned in Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*), but very important.

So be sure to read these before upgrading:

If you forget to review /etc/ssh/sshd_config, you get this in journalctl if you have specified your own MACs for instance when hardening according to [WayBack including rimemd160] Secure Secure Shell:

-- Subject: Unit sshd.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished starting up.
--
-- The start-up result is done.
Jan 20 21:02:43 revue sshd[3679]: /etc/ssh/sshd_config line 126: Deprecated option UsePrivilegeSeparation
Jan 20 21:02:43 revue sshd[3679]: /etc/ssh/sshd_config line 157: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-
Jan 20 21:02:43 revue systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Jan 20 21:02:43 revue systemd[1]: sshd.service: Unit entered failed state.
Jan 20 21:02:43 revue systemd[1]: sshd.service: Failed with result 'exit-code'.
Jan 20 21:02:43 revue systemd[1]: sshd.service: Service hold-off time over, scheduling restart.
Jan 20 21:02:43 revue systemd[1]: Stopped OpenSSH Daemon.
-- Subject: Unit sshd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished shutting down.

This gets you a more complete error message:

# `which sshd`
/etc/ssh/sshd_config line 126: Deprecated option UsePrivilegeSeparation
/etc/ssh/sshd_config line 157: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'.

You can basically comment out or remove the UsePrivilegeSeparation  line, as the 7.5 release notes tell this:

This release deprecates the sshd_config UsePrivilegeSeparation
   option, thereby making privilege separation mandatory. Privilege
   separation has been on by default for almost 15 years and
   sandboxing has been on by default for almost the last five.

Then change your MAC line and remove both these entries:

  • hmac-ripemd160-etm@openssh.com
  • hmac-ripemd160

You can verify the supported mac by running # ssh -Q mac which on my system returns this:

hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

I’ve asked DimStar to emphasis the above changes in response to [WayBackDominique / DimStar on Twitter: Week 2018/3 had a lot of good things for @openSUSE #Tumbleweed users, crammed into 4 snapshots. The weekly review is out!.

These posts helped me a lot to figure out the above:

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: