-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: ssh baseline refactoring. #126
base: master
Are you sure you want to change the base?
Conversation
@JHeinzde Very nice. I am looking forward to see this work completed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JHeinzde great work! Lets maybe try to split it to different PRs to be able to move forward fast. As suggestion/idea:
- one PR related to the linting/rubocop stuff
- another PR with renaming of
ssh_version
toreal_ssh_version
and switch of current controls to it - next PR with first implementation of
ssh_version
and only for privlege_separation part - next PR or PRs with crypto stuff, algorithms etc
What do you think?
libraries/ssh_crypto.rb
Outdated
|
||
FALLBACK_SSH_VERSION ||= 5.9 | ||
|
||
def real_ssh_version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we need that only as a intermediate step to avoid breaking the baseline and do not need it when everything is complete, right? (I see this command as part of ssh_version)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope so yes. This is indeed only temporary to avoid any breaking changes to the baseline.
Signed-off-by: jheinz <heinzjonathan95@gmail.com>
Replacing the ssh_version in the test with real_ssh_version. Signed-off-by: jheinz <heinzjonathan95@gmail.com>
…recipe Signed-off-by: jheinz <heinzjonathan95@gmail.com>
…ued in the get_ssh_version instead of the find_ssh_version. Also adding logoutput to find_ssh_version, since we can't throw an error there like in the devsec_shh.rb in the chef ssh hardening cookbook Signed-off-by: jheinz <heinzjonathan95@gmail.com>
Hello @artem-sidorenko, I have put more work into this and will honor the plan you described here, but modify it a bit:
Since I think no rename is required to ssh_version its going to stay like this. The last one is going to be related to rubocop/other stuff, when I can figure out the consequences of this, since at least for me currently the travis build is broken with these changes I've done |
This is a WIP refactoring of the ssh baseline to match the chef-ssh-hardening implementation.