From 887b54e121c4ea5be61ef81c7ac957a0888a2b11 Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Tue, 14 Oct 2014 01:38:58 +0200 Subject: [PATCH 1/3] split weak_* attributes into client and server ones --- attributes/default.rb | 9 ++++++--- recipes/client.rb | 32 +++++++++++++++++++++++++++++--- recipes/server.rb | 32 +++++++++++++++++++++++++++++--- 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 64455c0..5953dec 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -43,9 +43,12 @@ default['config_disclaimer'] = '**Note:** This file was automatically created by Pinerolo configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.' default['network']['ipv6']['enable'] = false # sshd + ssh -default['ssh']['cbc_required'] = false # sshd + ssh -default['ssh']['weak_hmac'] = false # sshd + ssh -default['ssh']['weak_kex'] = false # sshd + ssh +default['ssh']['client']['cbc_required'] = false # ssh +default['ssh']['server']['cbc_required'] = false # sshd +default['ssh']['client']['weak_hmac'] = false # ssh +default['ssh']['server']['weak_hmac'] = false # sshd +default['ssh']['client']['weak_kex'] = false # ssh +default['ssh']['server']['weak_kex'] = false # sshd default['ssh']['ports'] = [22] # sshd + ssh default['ssh']['listen_to'] = ['0.0.0.0'] # sshd default['ssh']['host_key_files'] = ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key'] # sshd diff --git a/recipes/client.rb b/recipes/client.rb index 886f40e..b38cdd3 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -30,14 +30,40 @@ action :create end +# warn about cipher depreciations and support legacy attributes +%w(weak_hmac weak_kex cbc_required).each do |setting| + next unless node['ssh'][setting] + # If at least one of the specific client/server attributes was used, + # we assume the global attribute to be a leftover from previous runs and + # just ignore it. + # + # If both client and server settings are default (false) we use the global + # value for both client and server for backward compatibility - the user may + # not have noticed the new attributes yet and did request the weak settings + # in the past. We don't want to break too many things. + if !node['ssh']['client'][setting] && !node['ssh']['server'][setting] + log "deprecated-ssh/#{setting}_client" do + message "ssh/client/#{setting} set from deprecated ssh/#{setting}" + level :warn + end + node.set['ssh']['client'][setting] = node['ssh'][setting] + else + log "ignored-ssh/#{setting}_client" do + message "Ignoring ssh/#{setting}:true for client" + only_if { !node['ssh']['client'][setting] } + level :warn + end + end +end + template '/etc/ssh/ssh_config' do source 'openssh.conf.erb' mode '0644' owner 'root' group 'root' variables( - mac: SshMac.get_macs(node, node['ssh']['weak_hmac']), - kex: SshKex.get_kexs(node, node['ssh']['weak_kex']), - cipher: SshCipher.get_ciphers(node, node['ssh']['cbc_required']) + mac: SshMac.get_macs(node, node['ssh']['client']['weak_hmac']), + kex: SshKex.get_kexs(node, node['ssh']['client']['weak_kex']), + cipher: SshCipher.get_ciphers(node, node['ssh']['client']['cbc_required']) ) end diff --git a/recipes/server.rb b/recipes/server.rb index 5cfcd2d..a7f8dd7 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -58,15 +58,41 @@ action :create end +# warn about cipher depreciations and support legacy attributes +%w(weak_hmac weak_kex cbc_required).each do |setting| + next unless node['ssh'][setting] + # If at least one of the specific client/server attributes was used, + # we assume the global attribute to be a leftover from previous runs and + # just ignore it. + # + # If both client and server settings are default (false) we use the global + # value for both client and server for backward compatibility - the user may + # not have noticed the new attributes yet and did request the weak settings + # in the past. We don't want to break too many things. + if !node['ssh']['server'][setting] && !node['ssh']['client'][setting] + log "deprecated-ssh/#{setting}_server" do + message "ssh/server/#{setting} set from deprecated ssh/#{setting}" + level :warn + end + node.set['ssh']['server'][setting] = node['ssh'][setting] + else + log "ignored-ssh/#{setting}_server" do + message "Ignoring ssh/#{setting}:true for server" + only_if { !node['ssh']['server'][setting] } + level :warn + end + end +end + template '/etc/ssh/sshd_config' do source 'opensshd.conf.erb' mode '0600' owner 'root' group 'root' variables( - mac: SshMac.get_macs(node, node['ssh']['weak_hmac']), - kex: SshKex.get_kexs(node, node['ssh']['weak_kex']), - cipher: SshCipher.get_ciphers(node, node['ssh']['cbc_required']) + mac: SshMac.get_macs(node, node['ssh']['server']['weak_hmac']), + kex: SshKex.get_kexs(node, node['ssh']['server']['weak_kex']), + cipher: SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required']) ) notifies :restart, 'service[sshd]' end From e26f7dcf349db86f57b548eef4d5e1508d92c1cd Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Tue, 14 Oct 2014 01:39:37 +0200 Subject: [PATCH 2/3] add tests for new weak_ attribs and transition logic --- spec/recipes/client_spec.rb | 206 +++++++++++++++++++++++++++++----- spec/recipes/server_spec.rb | 214 +++++++++++++++++++++++++++++++----- 2 files changed, 362 insertions(+), 58 deletions(-) diff --git a/spec/recipes/client_spec.rb b/spec/recipes/client_spec.rb index 3691eb5..a43b538 100644 --- a/spec/recipes/client_spec.rb +++ b/spec/recipes/client_spec.rb @@ -64,82 +64,230 @@ .with_content(/Ciphers [^#]*\baes256-ctr\b/) end - context 'with weak hmacs enabled' do + context 'weak_hmac enabled only for the client' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['weak_hmac'] = true + node.set['ssh']['client']['weak_hmac'] = true end.converge(described_recipe) end - it 'allows weak hmacs' do + it 'allows weak hmacs for the client' do expect(chef_run).to render_file('/etc/ssh/ssh_config') .with_content(/MACs [^#]*\bhmac-sha1\b/) end - it 'still does not allow weak kexs' do - expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/weak_hmac_cliet') end + end - it 'still doss not allow cbc ciphers' do + context 'weak_hmac enabled only for the server' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['server']['weak_hmac'] = true + end.converge(described_recipe) + end + + it 'does not enable weak hmacs on the client' do expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/Ciphers [^#]*-cbc\b/) + .with_content(/MACs [^#]*\bhmac-sha1\b/) end end - context 'with weak kexs enabled' do + context 'weak_kex enabled for the client only' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['weak_kex'] = true + node.set['ssh']['client']['weak_kex'] = true end.converge(described_recipe) end - it 'allows weak kexs' do + it 'allows weak kexs on the client' do expect(chef_run).to render_file('/etc/ssh/ssh_config') .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) end - it 'still does not allow weak macs' do - expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/MACs [^#]*\bhmac-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_client') + end + end + + context 'weak_kexs enabled for the server only' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['server']['weak_kex'] = true + end.converge(described_recipe) end - it 'still does not allow cbc ciphers' do + it 'does not allow weak kexs on the client' do expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/Ciphers [^#]*-cbc\b/) + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) end end - context 'with cbc required' do + context 'cbc_required set for the client only' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['cbc_required'] = true + node.set['ssh']['client']['cbc_required'] = true end.converge(described_recipe) end - it 'allows cbc ciphers' do + it 'allows cbc ciphers on the client' do expect(chef_run).to render_file('/etc/ssh/ssh_config') .with_content(/Ciphers [^#]*\baes256-cbc\b/) .with_content(/Ciphers [^#]*\baes192-cbc\b/) .with_content(/Ciphers [^#]*\baes128-cbc\b/) end - it 'still does not allow weak macs' do - expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/MACs [^#]*\bhmac-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/cbc_required_client') + end + end + + context 'cbc_required set for the server only' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['server']['cbc_required'] = true + end.converge(described_recipe) end - it 'still does not allow weak kexs' do + it 'does not allow cbc ciphers on the client' do expect(chef_run).not_to render_file('/etc/ssh/ssh_config') - .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + .with_content(/Ciphers [^#]*\b.*-cbc\b/) end + end - it 'still enables ctr ciphers' do - expect(chef_run).to render_file('/etc/ssh/ssh_config') - .with_content(/Ciphers [^#]*\baes128-ctr\b/) - .with_content(/Ciphers [^#]*\baes192-ctr\b/) - .with_content(/Ciphers [^#]*\baes256-ctr\b/) + describe 'backward compatibility' do + context 'legacy attribute ssl/weak_hmac set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['weak_hmac'] = true + end.converge(described_recipe) + end + + it 'allows weak hmacs' do + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow weak kexs' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still doss not allow cbc ciphers' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/Ciphers [^#]*-cbc\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/weak_hmac_client') + .with(message: /deprecated/) + .with(level: :warn) + end + end + + context 'legacy attribute weak_kex set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['weak_kex'] = true + end.converge(described_recipe) + end + + it 'allows weak kexs on the client' do + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still does not allow weak macs' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow cbc ciphers' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/Ciphers [^#]*-cbc\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/weak_kex_client') + .with(message: /deprecated/) + .with(level: :warn) + end end + context 'legacy attribute cbc_required set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh']['cbc_required'] = true + end.converge(described_recipe) + end + + it 'allows cbc ciphers for the client' do + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/Ciphers [^#]*\baes256-cbc\b/) + .with_content(/Ciphers [^#]*\baes192-cbc\b/) + .with_content(/Ciphers [^#]*\baes128-cbc\b/) + end + + it 'still does not allow weak macs' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow weak kexs' do + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still enables ctr ciphers' do + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/Ciphers [^#]*\baes128-ctr\b/) + .with_content(/Ciphers [^#]*\baes192-ctr\b/) + .with_content(/Ciphers [^#]*\baes256-ctr\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/cbc_required_client') + .with(message: /deprecated/) + .with(level: :warn) + end + end + end + + %w(weak_hmac weak_kex cbc_required).each do |attr| + describe "transition logic for #{attr}" do + context "global #{attr}:true, client:false and server:true" do + # don't use cache, log persists + let(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh'][attr] = true + node.set['ssh']['client'][attr] = false + node.set['ssh']['server'][attr] = true + end.converge(described_recipe) + end + + it "warns about ignoring the global #{attr} value for the client" do + expect(chef_run).to write_log("ignored-ssh/#{attr}_client") + .with(message: "Ignoring ssh/#{attr}:true for client") + .with_level(:warn) + end + end + + context "global #{attr}:true, client:true and server:false" do + # don't use cache, log persists + let(:chef_run) do + ChefSpec::ServerRunner.new do |node| + node.set['ssh'][attr] = true + node.set['ssh']['client'][attr] = true + node.set['ssh']['server'][attr] = false + end.converge(described_recipe) + end + + it "does not warn about ignoring the global #{attr}" do + expect(chef_run).not_to write_log("ignored-ssh/#{attr}_client") + .with_level(:warn) + end + end + end end end diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index dd8d371..8a2c238 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -72,10 +72,10 @@ .with_content(/Ciphers [^#]*\baes256-ctr\b/) end - context 'with weak hmacs enabled' do + context 'with weak hmacs enabled for the server' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['weak_hmac'] = true + node.set['ssh']['server']['weak_hmac'] = true end.converge(described_recipe) end @@ -84,69 +84,226 @@ .with_content(/MACs [^#]*\bhmac-sha1\b/) end - it 'still does not allow weak kexs' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/weak_hmac_server') end + end - it 'still doss not allow cbc ciphers' do + context 'with weak hmacs enabled for only the client' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh']['server']['client']['weak_hmac'] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) + end + + it 'weak hmacs on the server are not enabled' do expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/Ciphers [^#]*-cbc\b/) + .with_content(/MACs [^#]*\bhmac-sha1\b/) end end - context 'with weak kexs enabled' do + context 'weak_kex enabled for only the server' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['weak_kex'] = true + node.set['ssh']['server']['weak_kex'] = true end.converge(described_recipe) end - it 'allows weak kexs' do + it 'enables weak kexs on the server' do expect(chef_run).to render_file('/etc/ssh/sshd_config') .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) end - it 'still does not allow weak macs' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/MACs [^#]*\bhmac-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_server') + end + end + + context 'weak_kex enabled for only the client' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh']['client']['weak_kex'] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) end - it 'still does not allow cbc ciphers' do + it 'does not enable weak kexs on the server' do expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/Ciphers [^#]*-cbc\b/) + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) end end - context 'with cbc required' do + context 'cbc_required for the server only' do cached(:chef_run) do ChefSpec::ServerRunner.new do |node| - node.set['ssh']['cbc_required'] = true + node.set['ssh']['server']['cbc_required'] = true end.converge(described_recipe) end - it 'allows cbc ciphers' do + it 'enables cbc ciphers for the server' do expect(chef_run).to render_file('/etc/ssh/sshd_config') .with_content(/Ciphers [^#]*\baes256-cbc\b/) .with_content(/Ciphers [^#]*\baes192-cbc\b/) .with_content(/Ciphers [^#]*\baes128-cbc\b/) end - it 'still does not allow weak macs' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/MACs [^#]*\bhmac-sha1\b/) + it 'does not warn about depreciation' do + expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_server') + end + end + + context 'cbc_required for the client only' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh']['client']['cbc_required'] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) end - it 'still does not allow weak kexs' do + it 'does not enable cbc ciphers for the server' do expect(chef_run).not_to render_file('/etc/ssh/sshd_config') - .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + .with_content(/Ciphers [^#]*\b.*-cbc\b/) + end + end + + describe 'backward compatibility' do + context 'legacy attribute weak hmac set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + node.set['ssh']['weak_hmac'] = true + end.converge(described_recipe) + end + + it 'allows weak hmacs' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow weak kexs' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still does not allow cbc ciphers' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/Ciphers [^#]*-cbc\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/weak_hmac_server') + .with(message: /deprecated/) + .with(level: :warn) + end end - it 'still enables ctr ciphers' do - expect(chef_run).to render_file('/etc/ssh/sshd_config') - .with_content(/Ciphers [^#]*\baes128-ctr\b/) - .with_content(/Ciphers [^#]*\baes192-ctr\b/) - .with_content(/Ciphers [^#]*\baes256-ctr\b/) + context 'legacy attribute weak_kex set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh']['weak_kex'] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) + end + + it 'allows weak kexs' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still does not allow weak macs' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow cbc ciphers' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/Ciphers [^#]*-cbc\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/weak_kex_server') + .with(message: /deprecated/) + .with(level: :warn) + end + end + + context 'legacy attribute cbc_required set' do + cached(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh']['cbc_required'] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) + end + + it 'allows cbc ciphers' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/Ciphers [^#]*\baes256-cbc\b/) + .with_content(/Ciphers [^#]*\baes192-cbc\b/) + .with_content(/Ciphers [^#]*\baes128-cbc\b/) + end + + it 'still does not allow weak macs' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/MACs [^#]*\bhmac-sha1\b/) + end + + it 'still does not allow weak kexs' do + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/KexAlgorithms [^#]*\bdiffie-hellman-group1-sha1\b/) + end + + it 'still enables ctr ciphers' do + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/Ciphers [^#]*\baes128-ctr\b/) + .with_content(/Ciphers [^#]*\baes192-ctr\b/) + .with_content(/Ciphers [^#]*\baes256-ctr\b/) + end + + it 'warns about depreciation' do + expect(chef_run).to write_log('deprecated-ssh/cbc_required_server') + .with(message: /deprecated/) + .with(level: :warn) + end + end + + %w(weak_hmac weak_kex cbc_required).each do |attr| + describe "transition logic for #{attr}" do + context "global #{attr} true, client true and server false" do + # don't use cache, log persists + let(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh'][attr] = true + node.set['ssh']['client'][attr] = true + node.set['ssh']['server'][attr] = false + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) + end + + it "warns about ignoring the global #{attr} value for the server" do + expect(chef_run).to write_log("ignored-ssh/#{attr}_server") + .with(message: "Ignoring ssh/#{attr}:true for server") + .with(level: :warn) + end + end + + context "global #{attr} true, client false and server true" do + # don't use cache, log persists + let(:chef_run) do + ChefSpec::ServerRunner.new do |node, server| + node.set['ssh'][attr] = true + node.set['ssh']['client'][attr] = false + node.set['ssh']['server'][attr] = true + server.create_data_bag('users', 'someuser' => { id: 'someuser' }) + end.converge(described_recipe) + end + + it "does not warn about ignoring the global #{attr}" do + expect(chef_run).not_to write_log("ignored-ssh/#{attr}_server") + .with_level(:warn) + end + end + end end end @@ -209,7 +366,6 @@ .with_content(/^key2-user3$/) .with_content(/^key1-user4$/) end - end context 'without users data bag' do From 7d4722bfef198b32d78f49356e48f61068ec39fb Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Tue, 14 Oct 2014 01:57:33 +0200 Subject: [PATCH 3/3] update docs about split of cbc_required, weak_hmac and weak_kex --- CHANGELOG.md | 8 ++++++++ README.md | 18 ++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf46017..84dba9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## unreleased + +* new attributes node['ssh']['client']['cbc_required'] and node['ssh']['server']['cbc_required'] replace node['ssh']['cbc_required'], which has been deprecated. + +* new attributes node['ssh']['client']['weak_hmac'] and node['ssh']['server']['weak_hmac'] replace node['ssh']['weak_hmac'], which has been deprecated. + +* new attributes node['ssh']['client']['weak_kex'] and node['ssh']['server']['weak_kex'] replace node['ssh']['weak_kex'], which has been deprecated. + ## 1.0.1 * feature: cipher, macs and key exchange algorithms are now correctly detected on diff --git a/README.md b/README.md index 0883731..39b9098 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ This cookbook provides secure ssh-client and ssh-server configurations. ## Attributes * `['network']['ipv6']['enable']` - true if IPv6 is needed -* `['ssh']['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. -* `['ssh']['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. -* `['ssh']['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. +* `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available. +* `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled. +* `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled. * `['ssh']['allow_root_with_key']` - `false` to disable root login altogether. Set to `true` to allow root to login via key-based mechanism. * `['ssh']['ports']` - ports to which ssh-server should listen to and ssh-client should connect to * `['ssh']['listen_to']` - one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! @@ -130,7 +130,17 @@ Always look into log files first and if possible look at the negotation between We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection. -If you find this isn't enough, feel free to activate `['ssh']['cbc_required']` for ciphers, `['ssh']['weak_hmac']` for MACs, and `['ssh']['weak_kex']` for KEX. +If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the namespaces `['ssh']['client']` or `['ssh']['server']` based on where you want to support them. + +## Deprecation Notices + +* `node['ssh']['cbc_required']` has been deprecated in favour of `node['ssh']['client']['cbc_required']` and `node['ssh']['server']['cbc_required']`. + +* `node['ssh']['weak_hmac']` has been deprecated in favour of `node['ssh']['client']['weak_hmac']` and `node['ssh']['server']['weak_hmac']`. + +* `node['ssh']['weak_kex']` has been deprecated in favour of `node['ssh']['client']['weak_kex']` and `node['ssh']['server']['weak_kex']`. + +* The old attributes are still supported but will be removed in the future. In case one of the legacy attributes is set, it still precedes the newly added attributes to allow for backward compatibility. ## Contributors + Kudos