ideas 2

Ed df at bsd.it
Wed Jul 28 09:04:55 PDT 2004


Hi,

here another round...


. ........................................................................

1) If you plan to start syslogd at boot, please make it uses by default "-ss" 
option, so it doesn't open any network connection.
A bit of paranoia.

. ........................................................................

2) By default ssh and sshd can automatically switch to the obsolete SSH 
protocol v1 if one of the two doesn't support v2. I'm asking to remove this 
automatic process, letting the user manually choose obsolete v1 using "ssh 
-1" command.

/usr/src/crypto/openssh/sshd_config

-       #Protocol 2,1
+       Protocol 2


/usr/src/crypto/openssh/ssh_config

-       #   Protocol 2,1
+       Protocol 2


Nota: SSHv1 is like plain text and it's vulnerable to MiM.

. ........................................................................

3) Obsolete SSH protocol v1 key is only 768 bits long and it's regenerated 
every hour. Even if I suggest not to use v1, I think it can be better to 
increase the keysize to 1024.

/usr/src/crypto/openssh/sshd_config

-       #ServerKeyBits 768
+       ServerKeyBits 1024

. ........................................................................

4) Given the fact the most people follow a method of jumping across release, 
instead of updating from scratch everytime, SSH v2 server keys can stay the 
same for more than one year. Even if it's not already known a method to 
decrypt a public key, I'm asking to make it more difficult incrementing the 
default keysize to 2048.

src/etc/rc.d/sshd

-	/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+	/usr/bin/ssh-keygen -t dsa -b 2048 -f /etc/ssh/ssh_host_dsa_key -N ''


-	/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+	/usr/bin/ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''

. ........................................................................

5) I would suggest to modify the current banner of sshd so that it would seems 
a clean installation of OpenSSH-portable. Using a special banner is a good 
way to let everyone know if you're vulnerable to some attacks. Like happened 
with Apache worms that were looking for particular versions/platform.

/usr/src/crypto/openssh/version.h

-	#define SSH_VERSION_ADDENDUM	"DragonFly-20030916B"
+	#define SSH_VERSION_ADDENDUM	""

. ........................................................................

6) DF is a complete OS and so you can have your own needs. This should let you 
ask for commits on external projects like OpenSSH-portable and OpenSSL. What 
I'm suggesting is to import their code as they release it and send them any 
patch so that they'll be the real maintainers of the code. This can be easy 
if you think at #ifdef and ./configure --host=DragonFlyBSD. This should save 
DF developers time and keep original authors working on their projects for 
you.

. ........................................................................

7) On the IRC channel I was talking with someone about BIND removal.
Obviously I would be happy to see removed a DNS _server_ from the base system, 
because very few people needs it and who want to install a DNS server would 
probably prefer another one (djbdns ?).

I know that someone was looking at the problem of the resolving library and I 
hope this could be addressed with a small effort. 

. ........................................................................

8) Please make /tmp cleaning at boot time a default setting. It's a good thing 
for privacy and security.

. ........................................................................



This is not the end... I've some other unsaid ideas !


	Ed






More information about the Kernel mailing list