Skip to content

Improve SSHD config to use more secure settings#12109

Merged
liuh-80 merged 1 commit intosonic-net:masterfrom
liuh-80:dev/liuh/improve-sshd-config
Sep 22, 2022
Merged

Improve SSHD config to use more secure settings#12109
liuh-80 merged 1 commit intosonic-net:masterfrom
liuh-80:dev/liuh/improve-sshd-config

Conversation

@liuh-80
Copy link
Copy Markdown
Contributor

@liuh-80 liuh-80 commented Sep 19, 2022

Improve SSHD config to use more secure settings

Why I did it

According to Sonic OS review result, SSHD config file /etc/ssh/sshd_config using insecure settings.

How I did it

Change build_debian.sh script to set following settings to /etc/ssh/sshd_config:
ClientAliveInterval is set to 300
MaxAuthTries is set to default of 3
Banner set to /etc/issue
LogLevel is set to VERBOSE

How to verify it

Pass all E2E test case.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Improve SSHD config to use more secure settings

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@liuh-80
Copy link
Copy Markdown
Contributor Author

liuh-80 commented Sep 20, 2022

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Sep 20, 2022

Azure Pipelines successfully started running 1 pipeline(s).

@liuh-80 liuh-80 marked this pull request as ready for review September 21, 2022 07:40
@liuh-80 liuh-80 requested a review from lguohan as a code owner September 21, 2022 07:40
@liuh-80 liuh-80 requested a review from qiluo-msft September 21, 2022 07:40
qiluo-msft
qiluo-msft approved these changes Sep 21, 2022
View reviewed changes
Copy link
Copy Markdown
Collaborator

@qiluo-msft qiluo-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@liuh-80 liuh-80 merged commit f8494d1 into sonic-net:master Sep 22, 2022
@liuh-80 liuh-80 deleted the dev/liuh/improve-sshd-config branch September 22, 2022 01:25
@yutongzhang-microsoft yutongzhang-microsoft mentioned this pull request Nov 14, 2022
Merged
6 tasks
yejianquan pushed a commit to sonic-net/sonic-mgmt that referenced this pull request Nov 14, 2022
@yutongzhang-microsoft
Reset sshd timeout in stage deploy minigraph. (#6820)
2ecca4a 
* Reset sshd timeout

Approach
What is the motivation for this PR?
In pr [sonic-net/sonic-buildimage#12109], it decrease the sshd timout from 15mins to 5mins. It may cause timeout when executing generate_dump -s yesterday in posttest. So in this pr, during deploying minigraph, we reset this time.

How did you do it?
Modify the value /etc/ssh/sshd_config/ClientAliveInterval in deploy minigraph.

co-authorized by: [email protected]
yejianquan pushed a commit to sonic-net/sonic-mgmt that referenced this pull request Nov 14, 2022
@yutongzhang-microsoft @yejianquan
Reset sshd timeout in stage deploy minigraph. (#6820)
3d8329a 
* Reset sshd timeout

Approach
What is the motivation for this PR?
In pr [sonic-net/sonic-buildimage#12109], it decrease the sshd timout from 15mins to 5mins. It may cause timeout when executing generate_dump -s yesterday in posttest. So in this pr, during deploying minigraph, we reset this time.

How did you do it?
Modify the value /etc/ssh/sshd_config/ClientAliveInterval in deploy minigraph.

co-authorized by: [email protected]
yejianquan pushed a commit to sonic-net/sonic-mgmt that referenced this pull request Nov 14, 2022
@yutongzhang-microsoft @yejianquan
Reset sshd timeout in stage deploy minigraph. (#6820)
bd0b948 
* Reset sshd timeout

Approach
What is the motivation for this PR?
In pr [sonic-net/sonic-buildimage#12109], it decrease the sshd timout from 15mins to 5mins. It may cause timeout when executing generate_dump -s yesterday in posttest. So in this pr, during deploying minigraph, we reset this time.

How did you do it?
Modify the value /etc/ssh/sshd_config/ClientAliveInterval in deploy minigraph.

co-authorized by: [email protected]
This was referenced Nov 16, 2022
Closed
Merged
yutongzhang-microsoft added a commit to sonic-net/sonic-mgmt that referenced this pull request Nov 17, 2022
@yutongzhang-microsoft
Reset sshd timeout in upgrade_sonic.yml (#6839)
33bdb51 
Description of PR
In pr [sonic-net/sonic-buildimage#12109], it decrease the sshd timout from 15mins to 5mins. It may cause timeout when executing reduce_and_add_sonic_images in upgrade_sonic.yml. So in this pr, we reset this time before executing reduce_and_add_sonic_images.

What is the motivation for this PR?
In pr [sonic-net/sonic-buildimage#12109], it decrease the sshd timout from 15mins to 5mins. It may cause timeout when executing reduce_and_add_sonic_images in upgrade_sonic.yml. So in this pr, we reset this time before executing reduce_and_add_sonic_images.

How did you do it?
Modify the value /etc/ssh/sshd_config/ClientAliveInterval in upgrade_sonic.yml.

Signed-off-by: Yutong Zhang <[email protected]>
@ZhaohuiS ZhaohuiS mentioned this pull request Nov 17, 2022
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saiarcot895 saiarcot895 saiarcot895 approved these changes

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@yxieca yxieca Awaiting requested review from yxieca

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liuh-80 @saiarcot895 @qiluo-msft