Merge pull request #3885 from kmk3/fix-ssh

ssh: Refactor, fix bugs & harden

19 files changed, 69 insertions, 22 deletions

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
new file mode 100644
index 000000000..67c78a483
--- /dev/null
+++ b/etc/inc/allow-ssh.inc
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ssh.local
+
+noblacklist ${HOME}/.ssh
+noblacklist /etc/ssh
+noblacklist /etc/ssh/ssh_config
+noblacklist /tmp/ssh-*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 0de539d57..d724e3b52 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
 # Remote access
-read-only ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.rhosts
+blacklist ${HOME}/.shosts
+blacklist ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/rc
+blacklist /etc/hosts.equiv
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
@@ -347,6 +355,9 @@ read-only ${HOME}/.local/share/mime
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
+# prevent access to ssh-agent
+blacklist /tmp/ssh-*
+
 # top secret
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
@@ -393,6 +404,7 @@ blacklist /etc/shadow
 blacklist /etc/shadow+
 blacklist /etc/shadow-
 blacklist /etc/ssh
+blacklist /etc/ssh/*
 blacklist /home/.ecryptfs
 blacklist /home/.fscrypt
 blacklist /var/backup
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 153ced0f4..5910d3543 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -860,7 +860,6 @@ blacklist ${HOME}/.yarncache
 blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
-blacklist /tmp/ssh-*
 blacklist /tmp/.wine-*
 blacklist /var/games/nethack
 blacklist /var/games/slashem
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 2e4e564dd..2cdd3a90c 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index a5b1ba9f1..e7b09283e 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.repo_.gitconfig.json
 noblacklist ${HOME}/.repoconfig
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index b27d93684..09246ccbc 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -11,9 +11,11 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 43e877fd0..728929638 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -8,12 +8,14 @@ include globals.local
 
 noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
-noblacklist ${HOME}/.ssh
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 4708078dd..312655b9b 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -11,16 +11,19 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/git-cola
 # Put your editor,diff viewer config path below and uncomment to load settings
 # noblacklist ${HOME}/
 
+# Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index e5a2f3985..aefb2917d 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -15,10 +15,12 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.vim
 noblacklist ${HOME}/.viminfo
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 3d80c1ed2..93b90eb9e 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -10,7 +10,9 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.local/share/gitg
-noblacklist ${HOME}/.ssh
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index a7d0d531f..0a048a38a 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.android
 noblacklist ${HOME}/.jack-server
 noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 1a68cd37d..d76522fce 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -18,7 +18,6 @@ noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.local/share/meld
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.subversion
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -26,6 +25,9 @@ noblacklist ${HOME}/.subversion
 #include allow-python2.inc
 include allow-python3.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 6311c91df..d4c7bdf31 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -9,7 +9,9 @@ include globals.local
 noblacklist ${HOME}/.remmina
 noblacklist ${HOME}/.config/remmina
 noblacklist ${HOME}/.local/share/remmina
-noblacklist ${HOME}/.ssh
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 8bb1f53a7..065409e78 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -9,8 +9,9 @@ include globals.local
 blacklist /tmp/.X11-unix
 
 noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.ssh
-noblacklist /tmp/ssh-*
+
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 01b63d3ce..5802299a3 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,9 +6,8 @@ include ssh-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
-noblacklist /tmp/ssh-*
-noblacklist ${HOME}/.ssh
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index e3e2b4541..641c3a79d 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,13 +7,13 @@ include ssh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /etc/ssh
-noblacklist /tmp/ssh-*
-noblacklist ${HOME}/.ssh
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
 noblacklist ${PATH}/ncat
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index fc4e8e571..a4adf2896 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -8,12 +8,14 @@ include globals.local
 noblacklist ${HOME}/.WebStorm*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
 
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index bc9603835..6146016b2 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,10 +6,12 @@ include x2goclient.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ssh
 noblacklist ${HOME}/.x2go
 noblacklist ${HOME}/.x2goclient
 
+# Allow ssh (blacklisted by disable-common.inc)
+include allow-ssh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 8b44b0bc0..9e9fc3fe9 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -103,6 +103,9 @@ include globals.local
 # Allows files commonly used by IDEs
 #include allow-common-devel.inc
 
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
 #include disable-common.inc
 #include disable-devel.inc
 #include disable-exec.inc