From 1057b7844fb0d659e4473a692fdcaafcb505a6ac Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:26 +0200 Subject: [PATCH 01/13] enforce a space between ListenAddress and the value Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index ae7bfb0..eb11a09 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -47,7 +47,7 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^ListenAddress*/) } + its(:content) { should match(/^ListenAddress .*/) } end describe file('/etc/ssh/sshd_config') do From 48b40d4cd229c3f89bdfb939a66c8add1d2db2eb Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:27 +0200 Subject: [PATCH 02/13] feature: added conditional cipher checks implemented for ubuntu right now Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index eb11a09..fc34980 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -71,7 +71,24 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^Ciphers (aes128-ctr,aes256-ctr,aes192-ctr)|(aes128-ctr,aes256-ctr,aes192-ctr,aes128-cbc,aes256-cbc,aes192-cbc)$/) } + its(:content) do + + # define a set of default ciphers + ciphers = 'aes128-ctr,aes256-ctr,aes192-ctr' + + # adjust ciphers based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + ciphers = 'aes128-ctr,aes192-ctr,aes256-ctr' + when '14.04' + ciphers = 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr' + end + end + + should match(/^Ciphers #{ciphers}$/) + end end describe file('/etc/ssh/sshd_config') do From 738d2c360091889285e9a40e319f6485692482b0 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:28 +0200 Subject: [PATCH 03/13] improvement: don't check for commented options 1. the user configuration and options should be handled in the recipe/module. leaving these options in is nice, but not very maintainable since it may prevent us from using upstream modules/cookbooks for ssh management, which may not all have the option to add comments. since it's unnecessary, remove it 2. none of these commented options requires being set by compliance guidelines and sanity, so imho they are all fine to be removed Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 72 ---------------------------------- 1 file changed, 72 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index fc34980..de247ea 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -195,22 +195,6 @@ its(:content) { should match(/^GSSAPICleanupCredentials yes$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#DenyUsers \*$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowUsers user1$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#DenyGroups \*$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowGroups group1$/) } - end - describe file('/etc/ssh/sshd_config') do its(:content) { should match(/^TCPKeepAlive no$/) } end @@ -255,62 +239,6 @@ its(:content) { should match(/^PrintLastLog no$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#Banner /etc/ssh/banner\.txt$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#UseDNS yes$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#PidFile /var/run/sshd\.pid$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#MaxStartups 10$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#ChrootDirectory none$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#ChrootDirectory /home/\%u$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#Subsystem sftp internal-sftp -l VERBOSE$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#Match Group sftponly$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#ForceCommand internal-sftp -l VERBOSE$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(%r(^#ChrootDirectory /sftpchroot/home/\%u$)) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#AllowTcpForwarding no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#PasswordAuthentication no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#PermitRootLogin no$/) } - end - - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#X11Forwarding no$/) } - end - end describe 'check ssh_config' do From 6e3ac0e867374b31b7e2a9b402997e49a8780417 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:28 +0200 Subject: [PATCH 04/13] feature: added conditional MAC checks implemented for ubuntu right now Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index de247ea..bf610b3 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -92,7 +92,24 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160)|(MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1)|(MACs hmac-ripemd160$)/) } + its(:content) do + + # define a set of default MACs + macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + + # adjust MACs based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + when '14.04' + macs = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160' + end + end + + should match(/^MACs #{macs}$/) + end end describe file('/etc/ssh/sshd_config') do From e9a459e9b90d19c27e4d4375e50ad5d39ff624f5 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:29 +0200 Subject: [PATCH 05/13] feature: added conditional KEX checks implemented for ubuntu right now Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index bf610b3..dde26d9 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -113,7 +113,24 @@ end describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^KexAlgorithms (diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1)|(diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1)$/) } + its(:content) do + + # define a set of default KEXs + kex = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + + # adjust KEXs based on OS + release + case os[:family] + when 'Ubuntu' + case os[:release] + when '12.04' + kex = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + when '14.04' + kex = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + end + end + + should match(/^KexAlgorithms #{kex}$/) + end end describe file('/etc/ssh/sshd_config') do From cd0bf58232abe3e2907910146bef1c27c5ce3784 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:30 +0200 Subject: [PATCH 06/13] remove gcm cipher and fix ordering of ciphers Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index dde26d9..a514c04 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -81,9 +81,9 @@ when 'Ubuntu' case os[:release] when '12.04' - ciphers = 'aes128-ctr,aes192-ctr,aes256-ctr' + ciphers = 'aes256-ctr,aes192-ctr,aes128-ctr' when '14.04' - ciphers = 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr' + ciphers = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' end end From 1ca19a1f719516544eb9e6e8a01fc349ab2ed6e7 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:30 +0200 Subject: [PATCH 07/13] remove some leftover commented options Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index a514c04..2a91731 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -217,10 +217,6 @@ its(:content) { should match(/^KerberosTicketCleanup yes$/) } end - describe file('/etc/ssh/sshd_config') do - its(:content) { should match(/^#KerberosGetAFSToken no$/) } - end - describe file('/etc/ssh/sshd_config') do its(:content) { should match(/^GSSAPIAuthentication no$/) } end @@ -361,12 +357,4 @@ its(:content) { should match(/^Compression yes$/) } end - describe file('/etc/ssh/ssh_config') do - its(:content) { should match(/^#EscapeChar ~$/) } - end - - describe file('/etc/ssh/ssh_config') do - its(:content) { should match(/^#VisualHostKey yes$/) } - end - end From 1a2b37e970d8fa2f84c7012e2c4903736b57bf48 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:31 +0200 Subject: [PATCH 08/13] feature: add tests for RedHat-based ciphers (6.4+6.5) Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index 2a91731..9ce5b1f 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -74,17 +74,23 @@ its(:content) do # define a set of default ciphers - ciphers = 'aes128-ctr,aes256-ctr,aes192-ctr' + ciphers53 = 'aes128-ctr,aes256-ctr,aes192-ctr' + ciphers66 = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + ciphers = ciphers53 # adjust ciphers based on OS + release case os[:family] when 'Ubuntu' case os[:release] when '12.04' - ciphers = 'aes256-ctr,aes192-ctr,aes128-ctr' + ciphers = ciphers53 when '14.04' - ciphers = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + ciphers = ciphers66 end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + ciphers = ciphers53 end should match(/^Ciphers #{ciphers}$/) From 31adf0a75dca6fb2fe428ae69f9622b914bdeacc Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:32 +0200 Subject: [PATCH 09/13] feature: add tests for RedHat-based macs (6.4+6.5) Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index 9ce5b1f..c897fd3 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -101,16 +101,24 @@ its(:content) do # define a set of default MACs - macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160' + macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + macs53 = 'hmac-ripemd160,hmac-sha1' + macs = macs59 # adjust MACs based on OS + release case os[:family] when 'Ubuntu' case os[:release] when '12.04' - macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + macs = macs59 when '14.04' - macs = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160' + macs = macs66 + end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + ciphers = macs53 end end From 3085e76a45968e707f49cc24617be16f49c486e8 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:32 +0200 Subject: [PATCH 10/13] feature: make sure KEX for RedHat 6.4+6.5 is disabled Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index c897fd3..7a34b78 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -130,20 +130,28 @@ its(:content) do # define a set of default KEXs - kex = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex59 = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex = kex59 # adjust KEXs based on OS + release case os[:family] when 'Ubuntu' case os[:release] when '12.04' - kex = 'diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex = kex59 when '14.04' - kex = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' + kex = kex66 + end + when 'RedHat' + case os[:release] + when '6.4', '6.5' + should_not match(/^KexAlgorithms/) + kex = nil end end - should match(/^KexAlgorithms #{kex}$/) + should match(/^KexAlgorithms #{kex}$/) unless kex.nil? end end From f292ef07f217eb1c6a93f877b233c6825d5b426b Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:33 +0200 Subject: [PATCH 11/13] fix syntax errors Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index 7a34b78..6f0ad62 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -91,6 +91,7 @@ case os[:release] when '6.4', '6.5' ciphers = ciphers53 + end end should match(/^Ciphers #{ciphers}$/) From af766545152e35b04ca28cbd21a2045e0369f7db Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:34 +0200 Subject: [PATCH 12/13] sort ciphers correctly Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index 6f0ad62..9d8840d 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -74,7 +74,7 @@ its(:content) do # define a set of default ciphers - ciphers53 = 'aes128-ctr,aes256-ctr,aes192-ctr' + ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr' ciphers66 = 'chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' ciphers = ciphers53 From 8268f239ffa39343263668fd842a3bb68fce3a36 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Tue, 3 Jun 2014 17:02:35 +0200 Subject: [PATCH 13/13] fix typo in mac test Signed-off-by: Dominik Richter --- default/serverspec/ssh_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/serverspec/ssh_spec.rb b/default/serverspec/ssh_spec.rb index 9d8840d..116a43a 100644 --- a/default/serverspec/ssh_spec.rb +++ b/default/serverspec/ssh_spec.rb @@ -119,7 +119,7 @@ when 'RedHat' case os[:release] when '6.4', '6.5' - ciphers = macs53 + macs = macs53 end end