Merge pull request #70 from TelekomLabs/kex-sha1

remove sha1 key-exchange mechanisms from default
dev-sec · Jan 14, 2015 · 16593db · 16593db
2 parents 3f78b0b + 6f5792f
commit 16593db
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 4 deletions.
diff --git a/libraries/get_ssh_kex.rb b/libraries/get_ssh_kex.rb
@@ -27,12 +27,12 @@ def self.get_kexs(node, weak_kex)
         weak_kex = weak_kex ? 'weak' : 'default'
 
         kex_59 = {}
-        kex_59.default = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
-        kex_59['weak'] = kex_59['default'] + ',diffie-hellman-group1-sha1'
+        kex_59.default = 'diffie-hellman-group-exchange-sha256'
+        kex_59['weak'] = kex_59['default'] + ',diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1'
 
         kex_66 = {}
-        kex_66.default = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'
-        kex_66['weak'] = kex_66['default'] + ',diffie-hellman-group1-sha1'
+        kex_66.default = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
+        kex_66['weak'] = kex_66['default'] + ',diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1'
 
         # determine the kex for the operating system
         kex = kex_59

diff --git a/spec/recipes/client_spec.rb b/spec/recipes/client_spec.rb
@@ -48,6 +48,10 @@
   end
 
   it 'disables weak kexs' do
+    expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+      .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+    expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+      .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
     expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
       .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
   end
@@ -102,6 +106,10 @@
     end
 
     it 'allows weak kexs on the client' do
+      expect(chef_run).to render_file('/etc/ssh/ssh_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+      expect(chef_run).to render_file('/etc/ssh/ssh_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
       expect(chef_run).to render_file('/etc/ssh/ssh_config')
         .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
     end
@@ -119,6 +127,10 @@
     end
 
     it 'does not allow weak kexs on the client' do
+      expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+      expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
       expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
         .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
     end
@@ -170,6 +182,10 @@
       end
 
       it 'still does not allow weak kexs' do
+        expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end
@@ -194,6 +210,10 @@
       end
 
       it 'allows weak kexs on the client' do
+        expect(chef_run).to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).to render_file('/etc/ssh/ssh_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end
@@ -235,6 +255,10 @@
       end
 
       it 'still does not allow weak kexs' do
+        expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).not_to render_file('/etc/ssh/ssh_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end

diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
@@ -56,6 +56,10 @@
   end
 
   it 'disables weak kexs' do
+    expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+      .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+    expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+      .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
     expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
       .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
   end
@@ -111,6 +115,10 @@
     end
 
     it 'enables weak kexs on the server' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+      expect(chef_run).to render_file('/etc/ssh/sshd_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
       expect(chef_run).to render_file('/etc/ssh/sshd_config')
         .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
     end
@@ -129,6 +137,10 @@
     end
 
     it 'does not enable weak kexs on the server' do
+      expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+      expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+        .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
       expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
         .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
     end
@@ -182,6 +194,10 @@
       end
 
       it 'still does not allow weak kexs' do
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end
@@ -207,6 +223,10 @@
       end
 
       it 'allows weak kexs' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).to render_file('/etc/ssh/sshd_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end
@@ -249,6 +269,10 @@
       end
 
       it 'still does not allow weak kexs' do
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group14-sha1\b/)
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
+          .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group-exchange-sha1\b/)
         expect(chef_run).not_to render_file('/etc/ssh/sshd_config')
           .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/)
       end