search

Diodes-Delight / piunora-raspberrypi-os-image

10 stars 0 forks source link

Default SSH host keys left in Piunora images #2

Open PinkFreud opened 2 years ago

PinkFreud commented 2 years ago

I recently picked up a Piunora board for a spare CM4 I had on hand, and after going through the docs on getting started, opted to install the official Piunora image.

While looking through the image, I noticed that /etc/ssh is populated with host keys - this is a terrible idea, as it means all deployments of this image have these keys by default, and unless an end user knew to remove and regenerate these, it could lead to a compromise of the Pi in question in the wild.

See https://threatpost.com/cisco-ssh-key-flaw-has-echoes-of-earlier-vulnerabilities/113484/ for how shipping default ssh keys is a terrible idea. While this isn't quite as severe as, say, leaving keys lying around in root's authorized_keys file, it could still compromise the encryption these default host keys are meant to secure.

I'll note that both released images, 24-11-21 (2021-11-24) and 2021-12-01 contain default ssh host keys, though it appears they were generated separately, and thus not the same between the two images:

2021-11-24:

7c66f21de7fa29a54dc96f88437395d791cdd9bd  ssh_host_dsa_key
90e30194f687f7d02ad5a9920f9296f57de75639  ssh_host_dsa_key.pub
70910350fa4955c00a128282f86ffca18a101fb7  ssh_host_ecdsa_key
e4bc147ef7f4b45da9ec3633b2fb04bd069cfb7c  ssh_host_ecdsa_key.pub
f34714b8df91caf19c3f9eaf4b3122919aa0805d  ssh_host_ed25519_key
6a484951c540f9a59f082f7ac7400f54c1b83517  ssh_host_ed25519_key.pub
e735d5dbc9248e20993c03ebd29cf99793f0d1b8  ssh_host_rsa_key
0209ea98e3543222fc9997135dbcd1c78ec7524b  ssh_host_rsa_key.pub

2021-12-01:

7c66f21de7fa29a54dc96f88437395d791cdd9bd  ssh_host_dsa_key
90e30194f687f7d02ad5a9920f9296f57de75639  ssh_host_dsa_key.pub
70910350fa4955c00a128282f86ffca18a101fb7  ssh_host_ecdsa_key
e4bc147ef7f4b45da9ec3633b2fb04bd069cfb7c  ssh_host_ecdsa_key.pub
f34714b8df91caf19c3f9eaf4b3122919aa0805d  ssh_host_ed25519_key
6a484951c540f9a59f082f7ac7400f54c1b83517  ssh_host_ed25519_key.pub
e735d5dbc9248e20993c03ebd29cf99793f0d1b8  ssh_host_rsa_key
0209ea98e3543222fc9997135dbcd1c78ec7524b  ssh_host_rsa_key.pub

The right way to handle this would be to remove all existing host keys in /etc/ssh before image generation, and ensuring ssh-keygen -A is run before sshd startup, if sshd is left enabled:

     -A      For each of the key types (rsa, dsa, ecdsa and ed25519) for which
             host keys do not exist, generate the host keys with the default
             key file path, an empty passphrase, default bits for the key
             type, and default comment.  If -f has also been specified, its
             argument is used as a prefix to the default path for the result‐
             ing host key files.  This is used by system administration
             scripts to generate new host keys.

That being said, it's probably a better idea to leave ssh disabled by default, and let end-users enable it when necessary. This is the method the Raspberry Pi Foundation uses with Raspberry Pi OS, and is a reasonably safe option.

timonsku commented 2 years ago

oh that is odd, thanks for spotting that. The image is created in a chroot. I will have to check what in the process creates them. The image is created fully automated so some service must create them.

I opted for enabled SSH as the target audience of Piunora will pre-dominantly want that enabled. But I will make sure that there are no generated keys present before first boot for the next release. I had unfortunately little resources for updates, a new release is well overdue.

PinkFreud commented 2 years ago

The keys would be created upon enabling ssh - the service won't run without them. You'd need to remove them, and ensure ssh-keygen -A is run before ssh service startup, otherwise an error will be thrown at boot time.

timonsku commented 2 years ago

systemd is not running during the image setup, I think right now I used the raspi-config utility to enable ssh. I might do that manually instead then. Normally it should do the generation of the key on the first actual boot up. Will take a look what the utility actually runs.

PinkFreud commented 2 years ago

Yep, it's in raspi-config, all right, in do_ssh():

  if [ $RET -eq 0 ]; then
    ssh-keygen -A &&
    update-rc.d ssh enable &&
    invoke-rc.d ssh start &&
    STATUS=enabled
PinkFreud commented 2 years ago

One other consideration, if you're enabling ssh by default, is the default user and password on the image. Raspbian / Raspberry Pi OS used to do the same thing, but it was deemed risky to enable remote logins before giving the user an opportunity to change the default password. If you want ssh enabled by default, it might be worthwhile to come up with a way to force a password change on the pi account on first boot.

Anyway, thanks for being responsive! This is an intriguing little board, and I'm having fun with mine!

timonsku commented 2 years ago

Great to hear you are enjoying the board! Regarding the default user/pw issue. That has been solved in the latest OS release afaik where the user and pw have to be set after first boot so a new release of this image should have this also "for free".