Skip to content

Commit

Permalink
Avoid some deprecated options for OpenSSH >=7.6
Browse files Browse the repository at this point in the history
E.g. on Ubuntu 18.04

SSH protocol version 1 was removed from OpenSSH 7.6:
- https://www.openssh.com/txt/release-7.6
- https://www.openssh.com/txt/release-7.5

Signed-off-by: Artem Sidorenko <artem@posteo.de>
  • Loading branch information
artem-sidorenko committed Aug 1, 2018
1 parent 22fc824 commit 9c982dd
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 22 deletions.
14 changes: 7 additions & 7 deletions libraries/devsec_ssh.rb
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,13 @@ def get_server_kexs(enable_weak = false)
get_crypto_data(:kexs, :server, enable_weak)
end

{ client: 'sshclient',
server: 'sshserver' }.each do |k, v|
define_method("get_ssh_#{k}_version") do
get_ssh_version(node['ssh-hardening'][v]['package'])
end
end

private

# :nocov:
Expand Down Expand Up @@ -170,13 +177,6 @@ def find_ssh_version(version, versions)
found_ssh_version
end

{ client: 'sshclient',
server: 'sshserver' }.each do |k, v|
define_method("get_ssh_#{k}_version") do
get_ssh_version(node['ssh-hardening'][v]['package'])
end
end

def get_ssh_version(package)
version = node['packages'][package]['version']
# on debian we get the epoch in front of version number: 1:7.2p2-4ubuntu2.1
Expand Down
3 changes: 2 additions & 1 deletion recipes/client.rb
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@
{
mac: node['ssh-hardening']['ssh']['client']['mac'] || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
kex: node['ssh-hardening']['ssh']['client']['kex'] || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
cipher: node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
cipher: node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']),
version: DevSec::Ssh.get_ssh_client_version
}
end
)
Expand Down
28 changes: 14 additions & 14 deletions spec/libraries/devsec_ssh_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -195,20 +195,6 @@ def self.debug(*); end
end
end

describe 'get_ssh_server_version' do
it 'should call get_ssh_version with server package attribute' do
expect(subject).to receive(:get_ssh_version).with(package_name)
subject.send(:get_ssh_server_version)
end
end

describe 'get_ssh_client_version' do
it 'should call get_ssh_version with client package attribute' do
expect(subject).to receive(:get_ssh_version).with(package_name)
subject.send(:get_ssh_client_version)
end
end

describe 'find_ssh_version' do
context 'when it gets the valid ssh version' do
it 'should return the next small version' do
Expand Down Expand Up @@ -314,4 +300,18 @@ def self.debug(*); end
end
end
end

describe 'get_ssh_server_version' do
it 'should call get_ssh_version with server package attribute' do
expect(subject).to receive(:get_ssh_version).with(package_name)
subject.send(:get_ssh_server_version)
end
end

describe 'get_ssh_client_version' do
it 'should call get_ssh_version with client package attribute' do
expect(subject).to receive(:get_ssh_version).with(package_name)
subject.send(:get_ssh_client_version)
end
end
end
20 changes: 20 additions & 0 deletions spec/recipes/client_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,26 @@
end
end

describe 'version specifc options' do
context 'running with OpenSSH < 7.4' do
it 'should have RhostsRSAAuthentication and RSAAuthentication' do
expect(chef_run).to render_file('/etc/ssh/ssh_config').with_content(/RhostsRSAAuthentication/)
expect(chef_run).to render_file('/etc/ssh/ssh_config').with_content(/RSAAuthentication/)
end
end

context 'running with OpenSSH >= 7.4 on Ubuntu 18.04' do
cached(:chef_run) do
ChefSpec::ServerRunner.new(version: '18.04').converge(described_recipe)
end

it 'should not have RhostsRSAAuthentication and RSAAuthentication' do
expect(chef_run).to_not render_file('/etc/ssh/ssh_config').with_content(/RhostsRSAAuthentication/)
expect(chef_run).to_not render_file('/etc/ssh/ssh_config').with_content(/RSAAuthentication/)
end
end
end

context 'chef-solo' do
cached(:chef_run) do
ChefSpec::SoloRunner.new.converge(described_recipe)
Expand Down
3 changes: 3 additions & 0 deletions templates/default/openssh.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -82,10 +82,13 @@ ForwardX11 no

# Never use host-based authentication. It can be exploited.
HostbasedAuthentication no

<% if @version.to_f < 7.6 %>
RhostsRSAAuthentication no

# Enable RSA authentication via identity files.
RSAAuthentication yes
<% end %>

# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
PasswordAuthentication <%= ((@node['ssh-hardening']['ssh']['client']['password_authentication']) ? "yes" : "no" ) %>
Expand Down

0 comments on commit 9c982dd

Please sign in to comment.