Use different algorithms depending on the ssh version #166

Merged
merged 2 commits into from Feb 5, 2017

Conversation

Projects
None yet
3 participants
@artem-sidorenko
Member

artem-sidorenko commented Jan 24, 2017

Fixes GH-162

@artem-sidorenko artem-sidorenko added this to the v2.0.0 milestone Jan 24, 2017

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 24, 2017

Member

PR to ssh-baseline follows..(and is the reason for WIP)

Member

artem-sidorenko commented Jan 24, 2017

PR to ssh-baseline follows..(and is the reason for WIP)

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 24, 2017

Member

Currently this feature is server only (basically the same implementation like with privilege_separation). There is an option HostKeyAlgorithms which is valid for server and client, however this option is present on the server starting from something like openssh 6.7 (I do not know the exact version). So a proper server&client implementation would require a bit more changes in order to handle this.

Below an overview over different ssh versions and supported things (key stuff is mostly based on the @atomic111 evaluation):

ubuntu 12.04 ubuntu 14.04 ubuntu 16.04 centos 6.8 centos 7.3
ssh version 5.9 6.6 7.2 5.3 6.6
ssh -Q key support x x x
HostKeyAlgorithms/server support x
dsa key x x x x
rsa key x x x x x
ecdsa key x x x
ed25519 key x x x
debian 7.11 debian 8.6 fedora 24 fedora 25 opensuse leap 42.1 opensuse 13.2
ssh version 6.0 6.7 7.2 7.3 6.6 6.6
ssh -Q key support x x x x x
HostKeyAlgorithms/server support x x ? ?
dsa key x x x x
rsa key x x x x x x
ecdsa key x x x x x x
ed25519 key x x x x x
Member

artem-sidorenko commented Jan 24, 2017

Currently this feature is server only (basically the same implementation like with privilege_separation). There is an option HostKeyAlgorithms which is valid for server and client, however this option is present on the server starting from something like openssh 6.7 (I do not know the exact version). So a proper server&client implementation would require a bit more changes in order to handle this.

Below an overview over different ssh versions and supported things (key stuff is mostly based on the @atomic111 evaluation):

ubuntu 12.04 ubuntu 14.04 ubuntu 16.04 centos 6.8 centos 7.3
ssh version 5.9 6.6 7.2 5.3 6.6
ssh -Q key support x x x
HostKeyAlgorithms/server support x
dsa key x x x x
rsa key x x x x x
ecdsa key x x x
ed25519 key x x x
debian 7.11 debian 8.6 fedora 24 fedora 25 opensuse leap 42.1 opensuse 13.2
ssh version 6.0 6.7 7.2 7.3 6.6 6.6
ssh -Q key support x x x x x
HostKeyAlgorithms/server support x x ? ?
dsa key x x x x
rsa key x x x x x x
ecdsa key x x x x x x
ed25519 key x x x x x

@artem-sidorenko artem-sidorenko referenced this pull request in dev-sec/ssh-baseline Jan 26, 2017

Merged

Algorithm/Hostkey tests for different platforms #79

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Jan 26, 2017

Member

and here is the PR with tests: dev-sec/ssh-baseline#79

Member

artem-sidorenko commented Jan 26, 2017

and here is the PR with tests: dev-sec/ssh-baseline#79

@artem-sidorenko artem-sidorenko changed the title from WIP: Use different algorithms depending on the ssh version to Use different algorithms depending on the ssh version Feb 5, 2017

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Feb 5, 2017

Member

The tests for failing opensuse 42.1 are in PR dev-sec/ssh-baseline#84

Member

artem-sidorenko commented Feb 5, 2017

The tests for failing opensuse 42.1 are in PR dev-sec/ssh-baseline#84

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Feb 5, 2017

Coverage Status

Coverage decreased (-0.8%) to 99.228% when pulling 34be301 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

Coverage Status

Coverage decreased (-0.8%) to 99.228% when pulling 34be301 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

Add debian 7, fedora and opensuse with ssh versions
for old chef versions where autodetection does not work
@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Feb 5, 2017

Coverage Status

Coverage decreased (-0.4%) to 99.614% when pulling 98375b8 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

Coverage Status

Coverage decreased (-0.4%) to 99.614% when pulling 98375b8 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

@coveralls

This comment has been minimized.

Show comment
Hide comment
@coveralls

coveralls Feb 5, 2017

Coverage Status

Coverage remained the same at 100.0% when pulling f9baa14 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

Coverage Status

Coverage remained the same at 100.0% when pulling f9baa14 on artem-sidorenko:alg-update into 5dfe85a on dev-sec:master.

@atomic111 atomic111 self-requested a review Feb 5, 2017

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Feb 5, 2017

Member

@artem-sidorenko thank you for the great work. now we can tag the version to 2.0.0. awesome

Member

atomic111 commented Feb 5, 2017

@artem-sidorenko thank you for the great work. now we can tag the version to 2.0.0. awesome

@atomic111 atomic111 merged commit 97b2f52 into dev-sec:master Feb 5, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 100.0%
Details

@artem-sidorenko artem-sidorenko deleted the artem-forks:alg-update branch Feb 6, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment