Skip to content

Secure application installation

Introduction

The goal of this laboratory is to securely install and configure OpenSSH on your embedded Linux system. It has mainly three steps:

  1. Download a specific version of openssh, check different security compilations options, apply them and finally compile it
  2. Modify current buildroot in order it uses this specific ssh version with some security compilations options activated
  3. Reduce the attack surfaces for this specific openssh version

You continue on your current embedded Linux system from the previous labs.

Install the portable version 9.4p1 of sshd on the host (mainly in your docker container, not on the NanoPi): (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)

Download these files into your container:

  • openssh-9.4p1.tar.gz
  • openssh-9.4p1.tar.gz.asc

On the host (docker container, not inside buildroot), check the signature of the openssh package

On the host (docker container, not inside buildroot), check these different compilation options:

  • ./configure --help
  • ./configure // check the compilation-link options
  • ./configure --without-hardening // check the compilation-link options

What are the differences between the compilation-link options for these 2 commands (--with-hardening and --without-hardening)?

Document all your steps and findings in your report.

Question 2: Configure buildroot for a specific openssh version

In your current buildroot environment, the openssh package is described in /buildroot/package/openssh

  1. Modify the openssh.mk and openssh.hash files in order to get the openssh-9.4.p1.tar.gz version installed on your embedded Linux system.
  2. Modify the openssh.mk file in order to check the compilation-link options with these values:
    • First: --without-hardening, --without-pie
    • Second: --with-hardening, --with-pie
  3. Generate a new sdcard.img, flash the sdcard and check on the NanoPi

Question 3: Reduce the openssh attack surface

  1. On the nanoPi, delete the actual ssh keys, these keys are in the directory: /etc/ssh/ssh_host*
  2. On the NanoPi, create these new keys (without password): rsa 4096 bits, dsa 1024 bits, ecdsa 521, ed25519 256bits. These keys are stored in /etc/ssh/ssh_host*
  3. On the NanoPi, modify the /etc/init.d/S50sshd script in order to create automatically the new keys if they don’t exist already.
  4. For a next buildroot installation, modify buildroot in order to include the new S50sshd, openssh-mk, openssh.hash
  5. On the NanoPi, configure sshd (/etc/ssh/sshd_config)
    • Sshd uses only IPv4
    • Disables all forwarding features
    • Permit root login (normally this option is not allowed, but it allowed for the laboratories)
    • Indicate a banner
    • Check the cryptographic algorithms used
  6. Nmap scan gives the version of sshd : nmap -sV -n -p 22 IP --> 22/tcp open sshOpenSSH 9.4p1(protocol 2.0)
    • Modify sshd in order the version modified from OpenSSH 9.4p1 to My_Extreme_SecureShell

Important

All the modifications have to be done in a way that the next buildroot installation will include all these modifications automatically (persistent).