ideas 2
Ed
df at bsd.it
Wed Jul 28 09:04:55 PDT 2004
Hi,
here another round...
. ........................................................................
1) If you plan to start syslogd at boot, please make it uses by default "-ss"
option, so it doesn't open any network connection.
A bit of paranoia.
. ........................................................................
2) By default ssh and sshd can automatically switch to the obsolete SSH
protocol v1 if one of the two doesn't support v2. I'm asking to remove this
automatic process, letting the user manually choose obsolete v1 using "ssh
-1" command.
/usr/src/crypto/openssh/sshd_config
- #Protocol 2,1
+ Protocol 2
/usr/src/crypto/openssh/ssh_config
- # Protocol 2,1
+ Protocol 2
Nota: SSHv1 is like plain text and it's vulnerable to MiM.
. ........................................................................
3) Obsolete SSH protocol v1 key is only 768 bits long and it's regenerated
every hour. Even if I suggest not to use v1, I think it can be better to
increase the keysize to 1024.
/usr/src/crypto/openssh/sshd_config
- #ServerKeyBits 768
+ ServerKeyBits 1024
. ........................................................................
4) Given the fact the most people follow a method of jumping across release,
instead of updating from scratch everytime, SSH v2 server keys can stay the
same for more than one year. Even if it's not already known a method to
decrypt a public key, I'm asking to make it more difficult incrementing the
default keysize to 2048.
src/etc/rc.d/sshd
- /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+ /usr/bin/ssh-keygen -t dsa -b 2048 -f /etc/ssh/ssh_host_dsa_key -N ''
- /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+ /usr/bin/ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
. ........................................................................
5) I would suggest to modify the current banner of sshd so that it would seems
a clean installation of OpenSSH-portable. Using a special banner is a good
way to let everyone know if you're vulnerable to some attacks. Like happened
with Apache worms that were looking for particular versions/platform.
/usr/src/crypto/openssh/version.h
- #define SSH_VERSION_ADDENDUM "DragonFly-20030916B"
+ #define SSH_VERSION_ADDENDUM ""
. ........................................................................
6) DF is a complete OS and so you can have your own needs. This should let you
ask for commits on external projects like OpenSSH-portable and OpenSSL. What
I'm suggesting is to import their code as they release it and send them any
patch so that they'll be the real maintainers of the code. This can be easy
if you think at #ifdef and ./configure --host=DragonFlyBSD. This should save
DF developers time and keep original authors working on their projects for
you.
. ........................................................................
7) On the IRC channel I was talking with someone about BIND removal.
Obviously I would be happy to see removed a DNS _server_ from the base system,
because very few people needs it and who want to install a DNS server would
probably prefer another one (djbdns ?).
I know that someone was looking at the problem of the resolving library and I
hope this could be addressed with a small effort.
. ........................................................................
8) Please make /tmp cleaning at boot time a default setting. It's a good thing
for privacy and security.
. ........................................................................
This is not the end... I've some other unsaid ideas !
Ed
More information about the Kernel
mailing list