dev-sec · rndmh3ro · Oct 24, 2022 · Oct 21, 2022
diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb
@@ -17,6 +17,7 @@
 # author: Christoph Hartmann
 # author: Dominik Richter
 # author: Patrick Muench
+# author: Sebastian Gumprich
 
 class SshCrypto < Inspec.resource(1)
   name 'ssh_crypto'
@@ -26,253 +27,68 @@ def ssh_version
   end
 
   def valid_ciphers
-    # define a set of default ciphers
-    ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr'
     ciphers66 = 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-    ciphers = ciphers53
+    ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr'
 
-    # adjust ciphers based on OS + release
-    case inspec.os[:name]
-    when 'ubuntu'
-      ciphers = ciphers66 if inspec.os[:release][0, 2] > '12'
-    when 'debian'
-      case inspec.os[:release]
-      when /^6\./, /^7\./
-        ciphers = ciphers53
-      when /^8\./, /^9\./, /^10\./, /^11\./
-        ciphers = ciphers66
-      end
-    when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux'
-      case inspec.os[:release]
-      when /^6\./
-        ciphers = ciphers53
-      when /^7.*/, /^8.*/, /^9.*/
-        ciphers = ciphers66
-      end
-    when 'amazon', 'fedora', 'alpine', 'arch'
-      ciphers = ciphers66
-    when 'opensuse'
-      case inspec.os[:release]
-      when /^13\.2/
-        ciphers = ciphers66
-      when /^42\./
-        ciphers = ciphers66
-      end
-    when 'mac_os_x'
-      case inspec.os[:release]
-      when /^10.9\./
-        ciphers = ciphers53
-      when /^10.10\./, /^10.11\./, /^10.12\./
-        ciphers = ciphers66
-      end
+    if ssh_version >= 6.6
+      ciphers66
+    else
+      ciphers53
     end
-
-    ciphers
   end
 
   def valid_kexs
-    # define a set of default KEXs
     kex85 = 'sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     kex80 = 'sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
     kex59 = 'diffie-hellman-group-exchange-sha256'
-    kex = kex59
-
-    # adjust KEXs based on OS + release
-    case inspec.os[:name]
-    # https://packages.ubuntu.com/search?keywords=openssh-server
-    when 'ubuntu'
-      kex = if inspec.os[:release][0, 2] >= '22'
-              kex85
-            elsif inspec.os[:release][0, 2] >= '19'
-              kex80
-            else
-              kex66
-            end
-    # https://packages.debian.org/search?keywords=openssh-server
-    when 'debian'
-      case inspec.os[:release]
-      when /^6\./
-        kex = nil
-      when /^7\./
-        kex = kex59
-      when /^8\./, /^9\./, /^10\./
-        kex = kex66
-      when /^11\./
-        kex = kex80
-      end
-    when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux'
-      case inspec.os[:release]
-      when /^6\./
-        kex = nil
-      when /^7\./
-        kex = kex66
-      when /^8.*/, /^9.*/
-        kex = kex80
-      end
-    # https://pkgs.alpinelinux.org/packages?name=openssh
-    # https://src.fedoraproject.org/rpms/openssh
-    # https://software.opensuse.org/package/openssh
-    when 'alpine', 'arch', 'fedora', 'opensuse'
-      kex = if ssh_version >= 8.5
-              kex85
-            elsif ssh_version >= 8.0
-              kex80
-            elsif ssh_version >= 6.6
-              kex66
-            end
-    when 'amazon'
-      kex = kex66
-    when 'mac_os_x'
-      case inspec.os[:release]
-      when /^10.9\./
-        kex = kex59
-      when /^10.10\./, /^10.11\./, /^10.12\./
-        kex = kex66
-      when /^10.15\./
-        kex = kex80
-      end
+    if ssh_version >= 8.5
+      kex85
+    elsif ssh_version >= 8.0
+      kex80
+    elsif ssh_version >= 6.6
+      kex66
+    else
+      kex59
     end
-
-    kex
   end
 
   def valid_macs
-    # define a set of default MACs
     macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256'
     macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
     macs53 = 'hmac-ripemd160,hmac-sha1'
-    macs53_el65 = 'hmac-sha2-512,hmac-sha2-256'
-    macs = macs59
-
-    # adjust MACs based on OS + release
-    case inspec.os[:name]
-    when 'ubuntu'
-      macs = macs66 if inspec.os[:release][0, 2] > '12'
-    when 'debian'
-      case inspec.os[:release]
-      when /^6\./
-        macs = macs53
-      when /^7\./
-        macs = macs59
-      when /^8\./, /^9\./, /^10\./, /^11\./
-        macs = macs66
-      end
-    when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux'
-      case inspec.os[:release]
-      when /^6\./
-        # RedHat Enterprise Linux (and family) backported SHA2 support to their fork of OpenSSH 5.3 in RHEL 6.5.
-        # See BZ#969565 at:
-        # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.5_technical_notes/index#openssh
-        # Because extended support (EUS) updates for 6.x minor releases is no longer available,
-        # only the settings available for the supported (latest) 6.x release are recommended.
-        macs = macs53_el65
-      when /^7.*/, /^8.*/, /^9.*/
-        macs = macs66
-      end
-    when 'amazon', 'fedora', 'alpine', 'arch'
-      macs = macs66
-    when 'opensuse'
-      case inspec.os[:release]
-      when /^13\.2/
-        macs = macs66
-      when /^42\./
-        macs = macs66
-      end
-    when 'mac_os_x'
-      case inspec.os[:release]
-      when /^10.9\./
-        macs = macs59
-      when /^10.10\./, /^10.11\./, /^10.12\./
-        macs = macs66
-      end
+    if ssh_version >= 6.6
+      macs66
+    elsif ssh_version >= 5.9
+      macs59
+    else
+      macs53
     end
-
-    macs
   end
 
   def valid_privseparation
-    # define privilege separation set
-    ps53 = 'yes'
-    ps59 = 'sandbox'
     ps75 = nil
-    ps = ps59
-
-    # debian 7.x and newer has ssh 5.9+
-    # ubuntu 12.04 and newer has ssh 5.9+
-
-    case inspec.os[:name]
-    when 'debian'
-      case inspec.os[:release]
-      when /^6\./
-        ps = ps53
-      when /^10\./, /^11\./
-        ps = ps75
-      end
-    when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux'
-      case inspec.os[:release]
-      # redhat/centos/oracle 6.x has ssh 5.3
-      when /^6\./
-        ps = ps53
-      when /^7\./
-        ps = ps59
-      when /^8.*/, /^9.*/
-        ps = ps75
-      end
-    when 'ubuntu'
-      case inspec.os[:release]
-      when /^18\./, /^20\./, /^22\./
-        ps = ps75
-      end
-    when 'fedora', 'alpine', 'arch'
-      ps = ps75
+    ps59 = 'sandbox'
+    ps53 = 'yes'
+    if ssh_version >= 7.5
+      ps75
+    elsif ssh_version >= 5.9
+      ps59
+    elsif ssh_version >= 5.3
+      ps53
     end
-
-    ps
   end
 
-  # return a list of valid algoriths for a current platform
   def valid_algorithms
-    alg53 = %w(rsa)
-    alg60 = %w(rsa ecdsa)
     alg66 = %w(rsa ecdsa ed25519)
-    alg = alg66 # probably its a best suitable set for everything unknown
-
-    case inspec.os[:name]
-    when 'ubuntu'
-      alg = alg53 if inspec.os[:release][0, 2] < '14'
-    when 'debian'
-      case inspec.os[:release]
-      when /^7\./
-        alg = alg60
-      when /^8\./, /^9\./, /^10\./, /^11\./
-        alg = alg66
-      end
-    when 'redhat', 'centos', 'oracle', 'rocky', 'almalinux'
-      case inspec.os[:release]
-      when /^6\./
-        alg = alg53
-      when /^7.*/, /^8.*/, /^9.*/
-        alg = alg66
-      end
-    when 'amazon', 'fedora', 'alpine', 'arch'
-      alg = alg66
-    when 'opensuse'
-      case inspec.os[:release]
-      when /^13\.2/
-        alg = alg66
-      when /^42\./
-        alg = alg66
-      end
-    when 'mac_os_x'
-      case inspec.os[:release]
-      when /^10.9\./
-        alg53
-      when /^10.10\./, /^10.11\./, /^10.12\./
-        alg66
-      end
+    alg60 = %w(rsa ecdsa)
+    alg53 = %w(rsa)
+    if ssh_version >= 6.6
+      alg66
+    elsif ssh_version >= 6.0
+      alg60
+    else
+      alg53
     end
-
-    alg
   end
 end