sshd_config much more strict in v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent

57 views
Skip to first unread message

Cyrille Le Clerc

unread,
Mar 26, 2015, 8:10:47 AM3/26/15
to bosh-...@cloudfoundry.org
Dear community,

Can someone explain me why "/etc/sshd_config" is much more strict on the v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent (see diff below).

diff -b sshd_config_2889 sshd_config_2891
63,64d62
< X11Forwarding yes
< X11DisplayOffset 10
87a86
> Banner /etc/issue.net
89a89,93
> X11Forwarding no
> MaxAuthTries 3
>
> Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Jenkins' Java SSH library (trilead-ssh2) fails to establish an ssh connection to such SSH server with a "fatal: no matching mac found: client ..." appearing in the auth.log of the ssh server (ie the Jenkins slave).

Will future ubuntu stemcell continue to be hardened like this?
Is there a release-note of the stemcells? The "changes between" mentioned on http://boshartifacts.cloudfoundry.org/ does not give a lot of details (e.g. here).

Cyrille

hel...@acm.org

unread,
Mar 26, 2015, 9:53:03 AM3/26/15
to bosh-...@cloudfoundry.org
Fabric also breaks. We use it to back up the Cloud Foundry postgresql databases. For now, we have changed ssh config of the postgres node
manually.

Jon

On Thursday, March 26, 2015 at 1:10:47 PM UTC+1, Cyrille Le Clerc wrote:
Dear community,

Can someone explain me why "/etc/sshd_config" is much more strict on the v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent (see diff below).

diff -b sshd_config_2889 sshd_config_2891
63,64d62
< X11Forwarding yes
< X11DisplayOffset 10
87a86
> Banner /etc/issue.net
89a89,93
> X11Forwarding no
> MaxAuthTries 3
>

Cyrille Le Clerc

unread,
Mar 26, 2015, 10:05:22 AM3/26/15
to bosh-...@cloudfoundry.org
Hello Jon,

Did you notice this problem with the stemcell 2891 or with 2889? I may also have the problem with 2889, I am double checking at the moment. My SSH client works with 2824. I try to figure out when did the regression happen.

Cyrille
--
Cyrille Le Clerc
email & gtalk : clec...@cloudbees.com / mob: +33-6.61.33.69.86 / skype: cyrille.leclerc
CloudBees, Inc
www.cloudbees.com



hel...@acm.org

unread,
Mar 26, 2015, 10:51:10 AM3/26/15
to bosh-...@cloudfoundry.org


On Thursday, March 26, 2015 at 3:05:22 PM UTC+1, Cyrille Le Clerc wrote:
Hello Jon,

Did you notice this problem with the stemcell 2891 or with 2889? I may also have the problem with 2889, I am double checking at the moment. My SSH client works with 2824. I try to figure out when did the regression happen.

Looks like this change got merged for 28*8*1. It's commit 90ca88ea: 
"[#88065724] Update Cipher and MACs settings to match the Chef settings from telekomlabs" 

Jon
 
Cyrille

On Thu, Mar 26, 2015 at 2:53 PM, <hel...@acm.org> wrote:
Fabric also breaks. We use it to back up the Cloud Foundry postgresql databases. For now, we have changed ssh config of the postgres node
manually.

Jon

On Thursday, March 26, 2015 at 1:10:47 PM UTC+1, Cyrille Le Clerc wrote:
Dear community,

Can someone explain me why "/etc/sshd_config" is much more strict on the v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent (see diff below).

diff -b sshd_config_2889 sshd_config_2891
63,64d62
< X11Forwarding yes
< X11DisplayOffset 10
87a86
> Banner /etc/issue.net
89a89,93
> X11Forwarding no
> MaxAuthTries 3
>

Jenkins' Java SSH library (trilead-ssh2) fails to establish an ssh connection to such SSH server with a "fatal: no matching mac found: client ..." appearing in the auth.log of the ssh server (ie the Jenkins slave).

Will future ubuntu stemcell continue to be hardened like this?
Is there a release-note of the stemcells? The "changes between" mentioned on http://boshartifacts.cloudfoundry.org/ does not give a lot of details (e.g. here).

Cyrille

Cyrille Le Clerc

unread,
Mar 26, 2015, 11:41:44 AM3/26/15
to bosh-...@cloudfoundry.org, hel...@acm.org
Thanks Jon,

I was not aware of this convenient site to track changes: http://git_pipeline.cfapps.io/pipelines/bosh/versions

The diff of 90ca88e shows that Ciphers and MACs have been restricted a lot (see below). Could we have an explanation? I will have to share this with the Jenkins Community if this choice is definitive to get Jenkins working with these limited MACs and Ciphers. Could Corey Innis <cin...@pivotal.io> who signed-off this pull-request help me on this ?

Cyrille


- Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ Ciphers arcfour,arcfour128,arcfour256,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com

Dmitriy Kalinin

unread,
Mar 26, 2015, 12:55:09 PM3/26/15
to bosh-...@cloudfoundry.org, hel...@acm.org
Hey,

CHANGELOG.md [1] would help you here to determine when this was changed. 2847 stemcell version had sshd hardening change. We are planning to continue to harden the stemcell with the help of community requests and sec vulnerability scanner we are running. 

Regarding this specific change we are actually planning to relax it to include hmac-sha1 MAC [2]. Can you confirm that including hmac-sha1 would resolve your problem (you can install the stemcell and manually reconfigure sshd after the installation)?



On Thursday, March 26, 2015 at 8:41:44 AM UTC-7, Cyrille Le Clerc wrote:
Thanks Jon,

I was not aware of this convenient site to track changes: http://git_pipeline.cfapps.io/pipelines/bosh/versions

The diff of 90ca88e shows that Ciphers and MACs have been restricted a lot (see below). Could we have an explanation? I will have to share this with the Jenkins Community if this choice is definitive to get Jenkins working with these limited MACs and Ciphers. Could Corey Innis <cin...@pivotal.io> who signed-off this pull-request help me on this ?

Cyrille


Reply all
Reply to author
Forward
0 new messages