Limiting attack surface for Debian sshd

Fri, 11 Apr 2025 11:49:08 -0700 

Hello,

systemd dependancies that are activated on a Debian system imply a lot
of library injections into sshd, much more than the stock OpenBSD ssh.

To avoid this, there seem to be two approaches:

   - remove those dependancies (see below)

   - confine the impact of those dependancies, as proposed
     by some developpers, in having those dependancies confined
     (not examined here)

To solve this, I could use a Bastion host with a limited, non Debian,
OS, or I could recompile the OpenSSH package on Debian with options
disabled.

Doing the latter, I have much more dependancies (**)

4d3
< libcom_err.so.2
9,18d7
< libgcrypt.so.20
< libgpg-error.so.0
< libgssapi_krb5.so.2
< libk5crypto.so.3
< libkeyutils.so.1
< libkrb5.so.3
< libkrb5support.so.0
< liblz4.so.1
< liblzma.so.5
< libnsl.so.2
22,23d10
< libresolv.so.2
< librt.so.1
25,26d11
< libsystemd.so.0
< libtirpc.so.3
28d12
< libwrap.so.0
30d13
< libzstd.so.1

What do you think about this approach?

Thank you for your comments.


(*) on Debian bullseye:

mkdir /tmp/tt
cd /tmp/tt

apt-get source openssh

cd openssh-8.4p1/

# openbsd-doc does not apply cleanly after
sed -i 
'/^systemd-readiness.patch/d;/^restore-tcp-wrappers.patch/d;/^openbsd-docs.patch/d'
 debian/patches/series
rm 
debian/patches/{systemd-readiness.patch,restore-tcp-wrappers.patch,openbsd-docs.patch}

patch debian/rules <<'EOF'

schaefer@reliant:/tmp/tt/openssh-8.4p1$ diff -uP debian/rules.ORIG debian/rules
--- debian/rules.ORIG   2025-04-11 19:35:13.568132105 +0200
+++ debian/rules        2025-04-11 19:37:01.355078815 +0200
@@ -73,20 +73,16 @@
 confflags_udeb := $(confflags)
 
 # Options specific to the deb build.
-confflags += --with-tcp-wrappers
 confflags += --with-pam
 confflags += --with-libedit
-confflags += --with-kerberos5=/usr
 confflags += --with-ssl-engine
 ifeq ($(DEB_HOST_ARCH_OS),linux)
 confflags += --with-selinux
 confflags += --with-audit=linux
-confflags += --with-systemd
 confflags += --with-security-key-builtin
 endif
 
-# The deb build wants xauth; the udeb build doesn't.
-confflags += --with-xauth=/usr/bin/xauth
+confflags += --without-xauth
 confflags_udeb += --without-xauth
 
 # Default paths. The udeb build has /usr/games removed.
EOF

# -b: avoid source package creation, changelog, etc
dpkg-buildpackage -b -rfakeroot -us -uc

 
(**) demo:

mkdir /tmp/tt2
cd /tmp/tt2

dpkg-deb -x ../tt/openssh-server_*.deb .

diff <(ldd /usr/sbin/sshd | awk '{print $1;}' | sort) <(ldd usr/sbin/sshd | awk 
'{print $1;}' | sort)

Reply via email to