Avoid some deprecated options for OpenSSH >7.4

E.g. on Ubuntu 18.04 Signed-off-by: Artem Sidorenko <artem@posteo.de>
dev-sec · Jul 31, 2018 · 9bae0fe · 9bae0fe
1 parent ceb147c
commit 9bae0fe
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/libraries/devsec_ssh.rb b/libraries/devsec_ssh.rb
@@ -119,6 +119,13 @@ def get_server_kexs(enable_weak = false)
         get_crypto_data(:kexs, :server, enable_weak)
       end
 
+      { client: 'sshclient',
+        server: 'sshserver' }.each do |k, v|
+        define_method("get_ssh_#{k}_version") do
+          get_ssh_version(node['ssh-hardening'][v]['package'])
+        end
+      end
+
       private
 
       # :nocov:
@@ -170,13 +177,6 @@ def find_ssh_version(version, versions)
         found_ssh_version
       end
 
-      { client: 'sshclient',
-        server: 'sshserver' }.each do |k, v|
-        define_method("get_ssh_#{k}_version") do
-          get_ssh_version(node['ssh-hardening'][v]['package'])
-        end
-      end
-
       def get_ssh_version(package)
         version = node['packages'][package]['version']
         # on debian we get the epoch in front of version number: 1:7.2p2-4ubuntu2.1

diff --git a/recipes/client.rb b/recipes/client.rb
@@ -48,7 +48,8 @@
       {
         mac:     node['ssh-hardening']['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
         kex:     node['ssh-hardening']['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
-        cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
+        cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']),
+        version: DevSec::Ssh.get_client_ssh_version
       }
     end
   )

diff --git a/templates/default/openssh.conf.erb b/templates/default/openssh.conf.erb
@@ -82,10 +82,13 @@ ForwardX11 no
 
 # Never use host-based authentication. It can be exploited.
 HostbasedAuthentication no
+
+<% if @version.to_f < 7.4 %>
 RhostsRSAAuthentication no
 
 # Enable RSA authentication via identity files.
 RSAAuthentication yes
+<% end %>
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication <%= ((@node['ssh-hardening']['ssh']['client']['password_authentication']) ? "yes" : "no" ) %>