SSH hardening configuration options #22308
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
The original issue #22309 states:
Are we updating the SSH default config? I don't see code in this PR or sonic-net/sonic-host-services#238 that indicates changes to the default SSH configs. If we need to update the default cipher/kex/mac algorithms, it may be helpful to highlight the exact "hardening requirements by the various standards bodies" we're trying to satisfy. Or are we just going with the existing OpenSSH defaults (i.e., whatever settings are done when no value is specified for the given setting)? |
|
No defaults are updated at all. Just enable the configuration knobs so that a user can comply with whatever security standard they're using. I took the approach of not potentially breaking users. |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
256c269 to
2a6b798
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
2a6b798 to
5cd4ba0
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
5cd4ba0 to
4165c41
Compare
|
/azp run Azure.sonic-buildimage |
|
I just rebased against latest master to force a rebuild since there were spurious failures. |
|
Azure Pipelines successfully started running 1 pipeline(s). |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
4165c41 to
d1c930e
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
I rebased again to force tests to run, they are all passing now. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds SSH hardening configuration options to the sonic-ssh-server YANG model, updates tests and sample configs to cover them, and refreshes documentation accordingly.
- Extended YANG model with new leaves and leaf-lists for root login policy, password authentication toggle, and allowed ciphers/kex/mac algorithms
- Updated test configurations and metadata to validate valid and invalid values for the new options
- Refreshed sample_config_db.json and Configuration.md to include the new SSH settings
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/sonic-yang-models/yang-models/sonic-ssh-server.yang | Added permit_root_login, password_authentication, ciphers, kex_algorithms, and macs |
| src/sonic-yang-models/tests/yang_model_tests/tests_config/ssh-server.json | Added new test cases and invalid-value entries for the SSH hardening options |
| src/sonic-yang-models/tests/yang_model_tests/tests/ssh-server.json | Added metadata entries for the new permit_root_login scenarios |
| src/sonic-yang-models/tests/files/sample_config_db.json | Updated example config to include the new SSH policies |
| src/sonic-yang-models/doc/Configuration.md | Documented the new options and updated the sample snippet |
Comments suppressed due to low confidence (3)
src/sonic-yang-models/yang-models/sonic-ssh-server.yang:62
- Consider specifying a default value (e.g., default "prohibit-password") for
permit_root_loginto ensure deterministic behavior and align with the documentation.
leaf permit_root_login {
src/sonic-yang-models/doc/Configuration.md:2952
- Fix the spelling of 'seperated' to 'separated'.
- ports - Ssh port numbers - string of port numbers seperated by ','
src/sonic-yang-models/doc/Configuration.md:2973
- The example uses
"false"forpermit_root_login, which isn't one of the defined enum values. Use a valid option like "no" or the documented default "prohibit-password".
"permit_root_login": "false",
|
@bhouse-nexthop could you fix conflicts on this so @qiluo-msft can merge? |
|
@bhouse-nexthop This branch has conflicts that must be resolved |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
d1c930e to
a13d619
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@qiluo-msft merge conflicts have been resolved |
The SSH configuration does not contain many of the hardening requirements by the various standards bodies. This adds support for: * password_authentication - ability to disable password auth * permit_root_login - ability to prevent root logins * ciphers - ability to specify available ciphers * kex_algorithms - ability to specify key exchange algorithms * macs - ability to specify macs Signed-off-by: Brad House <[email protected]>
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
a13d619 to
835f191
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
another spurious test failure unrelated to the changes. Rebased to force a rebuild. |
|
@lguohan this is the yang model update for the ticket you just merged :) |
|
@lguohan can this be merged? |
7 participants
Why I did it
The SSH configuration does not contain many of the hardening requirements by the various standards bodies.
This PR depends on sonic-net/sonic-host-services#238
Fixes #22309
How I did it
This adds support for:
How to verify it
sonic-yang-models runs tests during build, as does sonic-host-services which validates the behavior.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
master as of 20250410
Description for the changelog
SSH hardening configuration options
Link to config_db schema for YANG module changes
https://github.com/bhouse-nexthop/sonic-buildimage/blob/bhouse-nexthop/ssh-config/src/sonic-yang-models/doc/Configuration.md#ssh_server
A picture of a cute animal (not mandatory but encouraged)