Merge pull request #49 from bkw/splitWeakCipers

allow cbc, hmac and kex to be configured individually for client and server.
dev-sec · Oct 14, 2014 · d569069 · d569069
2 parents 7bccda5 + 7d4722b
commit d569069
Show file tree

Hide file tree

Showing 7 changed files with 448 additions and 71 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## unreleased
+
+* new attributes node['ssh']['client']['cbc_required'] and node['ssh']['server']['cbc_required'] replace node['ssh']['cbc_required'], which has been deprecated.
+
+* new attributes node['ssh']['client']['weak_hmac'] and node['ssh']['server']['weak_hmac'] replace node['ssh']['weak_hmac'], which has been deprecated.
+
+* new attributes node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'] replace node['ssh']['weak_kex'], which has been deprecated.
+
 ## 1.0.1
 
 * feature: cipher, macs and key exchange algorithms are now correctly detected on

diff --git a/README.md b/README.md
@@ -16,9 +16,9 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 ## Attributes
 
 * `['network']['ipv6']['enable']` - true if IPv6 is needed
-* `['ssh']['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
-* `['ssh']['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. 
-* `['ssh']['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
+* `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
+* `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. 
+* `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
 * `['ssh']['allow_root_with_key']` - `false` to disable root login altogether. Set to `true` to allow root to login via key-based mechanism.
 * `['ssh']['ports']` - ports to which ssh-server should listen to and ssh-client should connect to
 * `['ssh']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
@@ -130,7 +130,17 @@ Always look into log files first and if possible look at the negotation between
 
 We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
 
-If you find this isn't enough, feel free to activate `['ssh']['cbc_required']` for ciphers, `['ssh']['weak_hmac']` for MACs, and `['ssh']['weak_kex']` for KEX.
+If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the namespaces `['ssh']['client']` or `['ssh']['server']` based on where you want to support them.
+
+## Deprecation Notices
+
+* `node['ssh']['cbc_required']` has been deprecated in favour of `node['ssh']['client']['cbc_required']` and `node['ssh']['server']['cbc_required']`.
+
+* `node['ssh']['weak_hmac']` has been deprecated in favour of `node['ssh']['client']['weak_hmac']` and `node['ssh']['server']['weak_hmac']`.
+
+* `node['ssh']['weak_kex']` has been deprecated in favour of `node['ssh']['client']['weak_kex']` and `node['ssh']['server']['weak_kex']`.
+
+* The old attributes are still supported but will be removed in the future. In case one of the legacy attributes is set, it still precedes the newly added attributes to allow for backward compatibility.
 
 ## Contributors + Kudos
 

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -43,9 +43,12 @@
 
 default['config_disclaimer']              = '**Note:** This file was automatically created by Pinerolo configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
 default['network']['ipv6']['enable']      = false   # sshd + ssh
-default['ssh']['cbc_required']            = false   # sshd + ssh
-default['ssh']['weak_hmac']               = false   # sshd + ssh
-default['ssh']['weak_kex']                = false   # sshd + ssh
+default['ssh']['client']['cbc_required']  = false   # ssh
+default['ssh']['server']['cbc_required']  = false   # sshd
+default['ssh']['client']['weak_hmac']     = false   # ssh
+default['ssh']['server']['weak_hmac']     = false   # sshd
+default['ssh']['client']['weak_kex']      = false   # ssh
+default['ssh']['server']['weak_kex']      = false   # sshd
 default['ssh']['ports']                   = [22]  # sshd + ssh
 default['ssh']['listen_to']               = ['0.0.0.0']     # sshd
 default['ssh']['host_key_files']          = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']     # sshd

diff --git a/recipes/client.rb b/recipes/client.rb
@@ -30,14 +30,40 @@
   action :create
 end
 
+# warn about cipher depreciations and support legacy attributes
+%w(weak_hmac weak_kex cbc_required).each do |setting|
+  next unless node['ssh'][setting]
+  # If at least one of the specific client/server attributes was used,
+  # we assume the global attribute to be a leftover from previous runs and
+  # just ignore it.
+  #
+  # If both client and server settings are default (false) we use the global
+  # value for both client and server for backward compatibility - the user may
+  # not have noticed the new attributes yet and did request the weak settings
+  # in the past. We don't want to break too many things.
+  if !node['ssh']['client'][setting] && !node['ssh']['server'][setting]
+    log "deprecated-ssh/#{setting}_client" do
+      message "ssh/client/#{setting} set from deprecated ssh/#{setting}"
+      level :warn
+    end
+    node.set['ssh']['client'][setting] = node['ssh'][setting]
+  else
+    log "ignored-ssh/#{setting}_client" do
+      message "Ignoring ssh/#{setting}:true for client"
+      only_if { !node['ssh']['client'][setting] }
+      level :warn
+    end
+  end
+end
+
 template '/etc/ssh/ssh_config' do
   source 'openssh.conf.erb'
   mode '0644'
   owner 'root'
   group 'root'
   variables(
-    mac: SshMac.get_macs(node, node['ssh']['weak_hmac']),
-    kex: SshKex.get_kexs(node, node['ssh']['weak_kex']),
-    cipher: SshCipher.get_ciphers(node, node['ssh']['cbc_required'])
+    mac: SshMac.get_macs(node, node['ssh']['client']['weak_hmac']),
+    kex: SshKex.get_kexs(node, node['ssh']['client']['weak_kex']),
+    cipher: SshCipher.get_ciphers(node, node['ssh']['client']['cbc_required'])
   )
 end
diff --git a/recipes/server.rb b/recipes/server.rb
@@ -58,15 +58,41 @@
   action :create
 end
 
+# warn about cipher depreciations and support legacy attributes
+%w(weak_hmac weak_kex cbc_required).each do |setting|
+  next unless node['ssh'][setting]
+  # If at least one of the specific client/server attributes was used,
+  # we assume the global attribute to be a leftover from previous runs and
+  # just ignore it.
+  #
+  # If both client and server settings are default (false) we use the global
+  # value for both client and server for backward compatibility - the user may
+  # not have noticed the new attributes yet and did request the weak settings
+  # in the past. We don't want to break too many things.
+  if !node['ssh']['server'][setting] && !node['ssh']['client'][setting]
+    log "deprecated-ssh/#{setting}_server" do
+      message "ssh/server/#{setting} set from deprecated ssh/#{setting}"
+      level :warn
+    end
+    node.set['ssh']['server'][setting] = node['ssh'][setting]
+  else
+    log "ignored-ssh/#{setting}_server" do
+      message "Ignoring ssh/#{setting}:true for server"
+      only_if { !node['ssh']['server'][setting] }
+      level :warn
+    end
+  end
+end
+
 template '/etc/ssh/sshd_config' do
   source 'opensshd.conf.erb'
   mode '0600'
   owner 'root'
   group 'root'
   variables(
-    mac: SshMac.get_macs(node, node['ssh']['weak_hmac']),
-    kex: SshKex.get_kexs(node, node['ssh']['weak_kex']),
-    cipher: SshCipher.get_ciphers(node, node['ssh']['cbc_required'])
+    mac: SshMac.get_macs(node, node['ssh']['server']['weak_hmac']),
+    kex: SshKex.get_kexs(node, node['ssh']['server']['weak_kex']),
+    cipher: SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required'])
   )
   notifies :restart, 'service[sshd]'
 end