New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactoring of library to simplify the kex/cipher handling #134

Merged
merged 2 commits into from Dec 14, 2016

Conversation

Projects
None yet
4 participants
@artem-sidorenko
Member

artem-sidorenko commented Nov 9, 2016

Closes #87, #136, #137

TODOs

  • move entire library code to the module DevSec::SshHardening, extend Chef::Recipe only with functions used in the recipe
  • Create some spec tests for DevSec::SshHardening module
  • Simplify node object handling (avoid node object attribute)
@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Nov 9, 2016

Member

@chris-rock @atomic111 what do you think about the direction?

I guess we should place this to the 2.0.0 because of the chef version. What do you think?

Member

artem-sidorenko commented Nov 9, 2016

@chris-rock @atomic111 what do you think about the direction?

I guess we should place this to the 2.0.0 because of the chef version. What do you think?

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 9, 2016

Coverage Status

Coverage decreased (-5.08%) to 94.922% when pulling 21a7eaf on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 9, 2016

Coverage Status

Coverage decreased (-5.08%) to 94.922% when pulling 21a7eaf on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 9, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling c8f9aba on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 9, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling c8f9aba on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 9, 2016

Coverage Status

Coverage decreased (-8.3%) to 91.739% when pulling 0cff3c9 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 9, 2016

Coverage Status

Coverage decreased (-8.3%) to 91.739% when pulling 0cff3c9 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 10, 2016

Coverage Status

Coverage decreased (-1.09%) to 98.913% when pulling c047c60 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 10, 2016

Coverage Status

Coverage decreased (-1.09%) to 98.913% when pulling c047c60 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 10, 2016

Coverage Status

Coverage decreased (-0.4%) to 99.566% when pulling 18579f6 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 10, 2016

Coverage Status

Coverage decreased (-0.4%) to 99.566% when pulling 18579f6 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 10, 2016

Coverage Status

Coverage decreased (-0.4%) to 99.566% when pulling 18579f6 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 10, 2016

Coverage Status

Coverage decreased (-0.4%) to 99.566% when pulling 18579f6 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 10, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling afb7f33 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

coveralls commented Nov 10, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling afb7f33 on artem-sidorenko:refactor-libraries into 803e394 on dev-sec:master.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Nov 10, 2016

Member

@chris-rock @arlimus @atomic111 its ready. Can you please review? Please do not merge, we need the 1.3.0 first (#135).

Followups of this PR will be addressed by issues #136 and #137

Member

artem-sidorenko commented Nov 10, 2016

@chris-rock @arlimus @atomic111 its ready. Can you please review? Please do not merge, we need the 1.3.0 first (#135).

Followups of this PR will be addressed by issues #136 and #137

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Nov 17, 2016

Member

@chris-rock @arlimus @atomic111 any remarks? I would really appreciate the review of this one

Member

artem-sidorenko commented Nov 17, 2016

@chris-rock @arlimus @atomic111 any remarks? I would really appreciate the review of this one

@artem-sidorenko artem-sidorenko changed the title from WIP: Refactor the library to simplify the kex/cipher handling to Refactor the library to simplify the kex/cipher handling Nov 23, 2016

@artem-sidorenko artem-sidorenko added this to the v2.0.0 milestone Nov 23, 2016

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 23, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 994436e on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Nov 23, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 994436e on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Nov 23, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 994436e on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Nov 23, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 994436e on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko
Member

artem-sidorenko commented Nov 30, 2016

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Nov 30, 2016

Member

@artem-sidorenko Great work. Let me have a look at this later today.

Member

chris-rock commented Nov 30, 2016

@artem-sidorenko Great work. Let me have a look at this later today.

@chris-rock

@artem-sidorenko Thank you for the improvement. I apologize for the late review. I like your clean-up and and the improved version detection. I am not sure about the meta programing. Could you explain why we need it?

Show outdated Hide outdated libraries/devsec_ssh.rb
@@ -0,0 +1,220 @@
# encoding: utf-8

This comment has been minimized.

@chris-rock

chris-rock Dec 4, 2016

Member

any reason why you prefix the file with devsec

@chris-rock

chris-rock Dec 4, 2016

Member

any reason why you prefix the file with devsec

This comment has been minimized.

@artem-sidorenko

artem-sidorenko Dec 5, 2016

Member

Module/class name is DevSec::SSH, as there is no similar path in place, I called the file devsec_ssh to allow a similar matching between file name and class/module name

@artem-sidorenko

artem-sidorenko Dec 5, 2016

Member

Module/class name is DevSec::SSH, as there is no similar path in place, I called the file devsec_ssh to allow a similar matching between file name and class/module name

Show outdated Hide outdated libraries/devsec_ssh.rb
Show outdated Hide outdated libraries/devsec_ssh.rb
Show outdated Hide outdated libraries/devsec_ssh.rb
Show outdated Hide outdated libraries/devsec_ssh.rb
Show outdated Hide outdated recipes/client.rb
@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Dec 5, 2016

Member

@chris-rock

I am not sure about the meta programing. Could you explain why we need it?

My first iteration was without it, I ended up with almost a same code for all functions get_[client|server]_[kexs|macs|ciphers]. So I decided to go that way in order to avoid the duplication 5 times

Member

artem-sidorenko commented Dec 5, 2016

@chris-rock

I am not sure about the meta programing. Could you explain why we need it?

My first iteration was without it, I ended up with almost a same code for all functions get_[client|server]_[kexs|macs|ciphers]. So I decided to go that way in order to avoid the duplication 5 times

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 271dbab on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 271dbab on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 3751bf2 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 3751bf2 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@artem-sidorenko artem-sidorenko changed the title from Refactor the library to simplify the kex/cipher handling to WIP: Refactor the library to simplify the kex/cipher handling Dec 5, 2016

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling ef4e38a on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling ef4e38a on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Dec 5, 2016

Member

The node object should not be passed anymore as parameter from recipe.

Please do not merge this PR after you think the review is done, I'll squash the fixup commits prior to the merge to master

Member

artem-sidorenko commented Dec 5, 2016

The node object should not be passed anymore as parameter from recipe.

Please do not merge this PR after you think the review is done, I'll squash the fixup commits prior to the merge to master

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 5, 2016

Coverage Status

Coverage decreased (-0.2%) to 99.771% when pulling 8817a44 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 5, 2016

Coverage Status

Coverage decreased (-0.2%) to 99.771% when pulling 8817a44 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling d50ba56 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 5, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling d50ba56 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Dec 9, 2016

Member

@chris-rock I already removed the metaprogramming implementation, so there is no open discussion point anymore.

Please let us proceed here, this PR is already open for 1 month and it blocks me on further progress in this cookbook.

Do you see any other points? Otherwise please tell me "LGTM" and I will squash&merge it and start to work on other tasks.

Member

artem-sidorenko commented Dec 9, 2016

@chris-rock I already removed the metaprogramming implementation, so there is no open discussion point anymore.

Please let us proceed here, this PR is already open for 1 month and it blocks me on further progress in this cookbook.

Do you see any other points? Otherwise please tell me "LGTM" and I will squash&merge it and start to work on other tasks.

bazbremner added a commit to bazbremner/chef-ssh-hardening that referenced this pull request Dec 13, 2016

Add node attributes to override KEX, MAC and cipher values
There's advice available on preferred choices of key exchange, message
authentication and ciphers from a number of sources [1][2][3], all of
which don't _entirely_ agree with each other, and then there's the
hardcoded selection of Kex, MAC and ciphers encoded in this cookbook.

At the time of committing, there is a refactor going on to simplify kex
and cipher handling:
dev-sec#134

Even in that refactor, hmac-ripemd160 MACs, which have been removed in
OpenSSH 6.7 (and hence flagged by ssh-audit[1] and are absent from
Mozilla's recommendations[2] for modern sshd, yet are still recommended
by secure secure shell[3]) are included in the default MAC list.

Likewise hmac-sha2-256 and hmac-sha2-512 are flagged by ssh-audit[1] as
they are encrypt-and-MAC, which has a number of issues, discussed in
secure secure shell[3].

There is likely to be more complexity and balancing of features/security
to consider plus the future changes of refactors in this cookbook, so
initially, I'd just like a way of overriding the generated defaults.

[1] https://github.com/arthepsy/ssh-audit
[2] https://wiki.mozilla.org/Security/Guidelines/OpenSSH
[3] https://stribika.github.io/2015/01/04/secure-secure-shell.html

bazbremner added a commit to bazbremner/chef-ssh-hardening that referenced this pull request Dec 13, 2016

Add node attributes to override KEX, MAC and cipher values
There's advice available on preferred choices of key exchange, message
authentication and ciphers from a number of sources [1][2][3], all of
which don't _entirely_ agree with each other, and then there's the
hardcoded selection of Kex, MAC and ciphers encoded in this cookbook.

At the time of committing, there is a refactor going on to simplify kex
and cipher handling:
dev-sec#134

Even in that refactor, hmac-ripemd160 MACs, which have been removed in
OpenSSH 6.7 (and hence flagged by ssh-audit[1] and are absent from
Mozilla's recommendations[2] for modern sshd, yet are still recommended
by secure secure shell[3]) are included in the default MAC list.

Likewise hmac-sha2-256 and hmac-sha2-512 are flagged by ssh-audit[1] as
they are encrypt-and-MAC, which has a number of issues, discussed in
secure secure shell[3].

There is likely to be more complexity and balancing of features/security
to consider plus the future changes of refactors in this cookbook, so
initially, I'd just like a way of overriding the generated defaults.

[1] https://github.com/arthepsy/ssh-audit
[2] https://wiki.mozilla.org/Security/Guidelines/OpenSSH
[3] https://stribika.github.io/2015/01/04/secure-secure-shell.html
@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Dec 13, 2016

Member

@artem-sidorenko great job!!! i will discuss this with @chris-rock. it looks pretty complete

Member

atomic111 commented Dec 13, 2016

@artem-sidorenko great job!!! i will discuss this with @chris-rock. it looks pretty complete

@chris-rock

This looks good to me @artem-sidorenko Once you remove the WIP from the title we should merge it

end
def get_client_macs(enable_weak = false)
get_crypto_data(:macs, :client, enable_weak)

This comment has been minimized.

@chris-rock

chris-rock Dec 13, 2016

Member

👍 cool abstraction. much easier to read!

@chris-rock

chris-rock Dec 13, 2016

Member

👍 cool abstraction. much easier to read!

artem-sidorenko added some commits Nov 9, 2016

Refactoring: simplify handling of crypto parameters
Module `DevSec::Ssh` delivers the crypto parameters.
There is autodetection of ssh version with fallback to 5.9

@artem-sidorenko artem-sidorenko changed the title from WIP: Refactor the library to simplify the kex/cipher handling to Refactoring of library to simplify the kex/cipher handling Dec 14, 2016

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Dec 14, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 33caca8 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

coveralls commented Dec 14, 2016

Coverage Status

Coverage remained the same at 100.0% when pulling 33caca8 on artem-sidorenko:refactor-libraries into 10953dc on dev-sec:master.

@artem-sidorenko artem-sidorenko merged commit 0fa0082 into dev-sec:master Dec 14, 2016

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 100.0%
Details

@artem-sidorenko artem-sidorenko deleted the artem-forks:refactor-libraries branch Dec 14, 2016

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Dec 14, 2016

Member

@chris-rock @atomic111 thank you! I bumped the master to 2.0.0

Member

artem-sidorenko commented Dec 14, 2016

@chris-rock @atomic111 thank you! I bumped the master to 2.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment