From 8288c203b2709478d45c17592e141a0250f04c8a Mon Sep 17 00:00:00 2001
From: Dominik Richter <dominik.richter@gmail.com>
Date: Thu, 5 Feb 2015 10:33:22 +0100
Subject: [PATCH] feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9

See:
* https://github.com/TelekomLabs/puppet-ssh-hardening/pull/42
* https://github.com/TelekomLabs/tests-ssh-hardening/pull/44

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
---
 .../functions/use_privilege_separation.rb     | 37 +++++++++++++++++++
 manifests/server.pp                           |  3 +-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 lib/puppet/parser/functions/use_privilege_separation.rb

diff --git a/lib/puppet/parser/functions/use_privilege_separation.rb b/lib/puppet/parser/functions/use_privilege_separation.rb
new file mode 100644
index 0000000..15f0efd
--- /dev/null
+++ b/lib/puppet/parser/functions/use_privilege_separation.rb
@@ -0,0 +1,37 @@
+# encoding: utf-8
+#
+# Copyright 2015, Dominik Richter
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+Puppet::Parser::Functions.newfunction(:use_privilege_separation, :type => :rvalue) do |args|
+  os = args[0].downcase
+  osrelease = args[1]
+  osmajor = osrelease.sub(/\..*/, '')
+  
+  ps53 = 'yes'
+  ps59 = 'sandbox'
+  ps = ps59
+
+  # redhat/centos/oracle 6.x has ssh 5.3
+  if os == 'redhat' || os == 'centos' || os == 'oraclelinux'
+    ps = ps53
+
+  # debian 7.x and newer has ssh 5.9+
+  elsif os == 'debian' && osmajor.to_i <= 6
+    ps = ps53
+  end
+
+  ps
+end
diff --git a/manifests/server.pp b/manifests/server.pp
index 81399f4..0d683da 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -76,6 +76,7 @@
   $ciphers = get_ssh_ciphers($::operatingsystem, $::operatingsystemrelease, $cbc_required)
   $macs = get_ssh_macs($::operatingsystem, $::operatingsystemrelease, $weak_hmac)
   $kex = get_ssh_kex($::operatingsystem, $::operatingsystemrelease, $weak_kex)
+  $priv_sep = use_privilege_separation($::operatingsystem, $::operatingsystemrelease)
 
   $permit_root_login = $allow_root_with_key ? {
     true  => 'without-password',
@@ -169,7 +170,7 @@
 
       # Secure Login directives.
       'UseLogin'                        => 'no',
-      'UsePrivilegeSeparation'          => 'yes',
+      'UsePrivilegeSeparation'          => $priv_sep,
       'PermitUserEnvironment'           => 'no',
       'LoginGraceTime'                  => '30s',
       'MaxAuthTries'                    => 2,