r00t2/SSHSecure
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

need to finish dh stuff still.

Browse Source
This commit is contained in:
brent s. 2021-07-03 03:58:06 -04:00
parent 4eb554aa38
commit d7ffbea913
Signed by: bts
GPG Key ID: 8C004C2F93481F6B
5 changed files with 64 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -33,17 +33,19 @@ the default configuration and keys used may not be the strongest they can be (an
This software will harden your OpenSSH security as much as possible to currently known weaknesses. This software will harden your OpenSSH security as much as possible to currently known weaknesses.


## How? ## How?
This program will generate/replace: This program will generate/modify and replace:


* your hostkeys (typically `/etc/ssh/ssh_host_*_key*`) * Your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
* the client keys (`~/.ssh/id_*`) for the running user * The client keys (`~/.ssh/id_*`) for the running user
* your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`) * Your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
* your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`) * Your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
* the `ssh` (client) configuration for the running user (`~/.ssh/config`) * The `ssh` (client) configuration for the running user (`~/.ssh/config`)
* the SSH DH parameters (typically `/etc/ssh/moduli`) * The SSH DH parameters (typically `/etc/ssh/moduli`)


with much stronger implementations from typical/upstream defaults. with much stronger implementations from typical/upstream defaults.


Any and all pre-existing files are backed up before being replaced.

It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies
them. them.
@ -67,11 +69,18 @@ running already).
## FAQ ## FAQ


### Why a binary? ### Why a binary?
I originally wrote this as a python script. However, some machines don't have the python I originally wrote this as a Python script. However, some machines don't have the Python
interpreter installed and due to the lack of low-level access, I ended up making a lot interpreter installed and due to the lack of low-level access, I ended up making a lot
of calls to the shell anyways. of calls to the shell anyways.
I wrote it in Golang so the source would be easily read for auditing purposes. I wrote it in Golang because:

* The source would be easily read for auditing purposes
* Golang is, admittedly, incredibly faster at some tasks than Python
* Multiprocessing/multithreading is *incredibly* more simple in Golang than Python
* Building widely-deployable binaries is easier in Golang than C or C++

As much as I like Python, Golang should offer significant improvements.


### How can I contact you? ### How can I contact you?
You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15) You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15)

11
dh/README
View File

@ -1,6 +1,11 @@
The functions found in this sub-component are ported almost directly from the THIS SUBMODULE IS INCOMPLETE. DO NOT USE IT.
openssh-portable[0]'s `moduli.c`[1] code (with, of course, changes made where It technically is not necessary as upstream offers generated parameters.
appropriate to match and take advantage of Golang). Theoretically as long as we filter anything 2048 bits and lower, it should be fine.

The functions, etc. (even a significant amount of the comments) found in this
sub-component are ported almost directly from the openssh-portable[0]'s
`moduli.c`[1] code (with, of course, changes made where appropriate to match
and take advantage of Golang and its patterns).


The OpenBSD and OpenSSH(-portable) teams have my gratitude. The OpenBSD and OpenSSH(-portable) teams have my gratitude.



31
dh/const.go
View File

@ -1,5 +1,9 @@
package dh package dh


import (
"math/big"
)

const ( const (
// QSizeMinimum Specifies the number of the most significant bit (0 to M). // QSizeMinimum Specifies the number of the most significant bit (0 to M).
// WARNING: internally, usually 1 to N. // WARNING: internally, usually 1 to N.
@ -26,7 +30,32 @@ const (
TestMaximum = uint32(1) << 16 TestMaximum = uint32(1) << 16
TestMinimum = QSizeMinimum + 1 // (uint32(1) << (ShiftWord - TestPower)) TestMinimum = QSizeMinimum + 1 // (uint32(1) << (ShiftWord - TestPower))
TestPower = 3 // 2**n, n < ShiftWord TestPower = 3 // 2**n, n < ShiftWord
// Minimum number of primality tests to perform
TrialMinimum = 4
) )


var ( type (

/*
Sieving data (XXX - move to struct)
*/

// sieve 2**16
TinySieve *uint32
tinybits uint32

// sieve 2**30 in 2**16 parts
SmallSieve *uint32
smallbits uint32
smallbase uint32

// sieve relative to the initial value
LargeSieve *uint32
largewords uint32
largetries uint32
largenumbers uint32
largebits uint32 // Megabytes..
largememory uint32 // ""

largebase big.Int
) )

2
dh/func_gen.go
View File

@ -34,3 +34,5 @@ package dh


And that's why I'm a sad panda and porting moduli.c to native Golang. And that's why I'm a sad panda and porting moduli.c to native Golang.
*/ */

func SieveLarge()

2
dh/func_utils.go
View File

@ -50,3 +50,5 @@ func BitTest(a []uint32, n uint32) (i uint32) {


return return
} }

// The qfileout function is replaced by a moduli.Entry method Write.