From fd82841c1f03d22acf4ed448cd22743a785f573e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 12:45:14 -0400 Subject: Change 'hardened_ssl' paramter to simply 'hardened', this makes more sense in general --- templates/sshd_config/CentOS_6.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/sshd_config/CentOS_6.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 47cb077..97e9a5b 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -150,7 +150,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 430c48200eeacf11fd3980f162ffa1994c2d0dd0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:48:19 -0400 Subject: Implement KexAlgorithms settings, based on Key exchange section of https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them. --- templates/sshd_config/CentOS_6.erb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'templates/sshd_config/CentOS_6.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 97e9a5b..f27e567 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -151,6 +151,9 @@ AllowGroups <%= s %> <%- end -%> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +<% end -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From 1402e67b2143dca464905bb6d95410a4ee862255 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 13:57:37 -0400 Subject: Implement enhanced symmetric cipher selection, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed --- templates/sshd_config/CentOS_6.erb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'templates/sshd_config/CentOS_6.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index f27e567..325c73a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -153,8 +153,10 @@ AllowGroups <%= s %> <% if scope.lookupvar('sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org -<% end -%> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +<% else -%> Ciphers aes256-ctr +<% end -%> MACs hmac-sha1 <% end -%> -- cgit v1.2.3 From e4a9c15987372e63ace244a92619bdd2e4c5407a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 1 May 2015 14:00:56 -0400 Subject: Implement enhanced MAC (Message Authentication Codes) according to installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html --- templates/sshd_config/CentOS_6.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'templates/sshd_config/CentOS_6.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 325c73a..4c1e28a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -154,11 +154,12 @@ AllowGroups <%= s %> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -<% end -%> MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs -- cgit v1.2.3 From ac6e09ecde7b78acecb7eb357a2e559824f4cbe3 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Thu, 7 May 2015 11:34:07 -0400 Subject: Adjust variable lookup in templates to silence deprecation warnings, fixes #1 --- templates/sshd_config/CentOS_6.erb | 46 +++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) (limited to 'templates/sshd_config/CentOS_6.erb') diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 4c1e28a..4593a91 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -10,11 +10,11 @@ # possible, but leave them commented. Uncommented options change a # default value. -<% unless (s=scope.lookupvar('sshd::head_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::head_additional_options')).empty? -%> <%= s %> <% end -%> -<% scope.lookupvar('sshd::ports').to_a.each do |port| -%> +<% scope.lookupvar('::sshd::ports').to_a.each do |port| -%> <% if port == 'off' -%> #Port -- disabled by puppet <% else -%> @@ -23,7 +23,7 @@ Port <%= port %> <% end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -<% scope.lookupvar('sshd::listen_address').to_a.each do |address| -%> +<% scope.lookupvar('::sshd::listen_address').to_a.each do |address| -%> ListenAddress <%= address %> <% end -%> @@ -51,39 +51,39 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m -PermitRootLogin <%= scope.lookupvar('sshd::permit_root_login') %> +PermitRootLogin <%= scope.lookupvar('::sshd::permit_root_login') %> -StrictModes <%= scope.lookupvar('sshd::strict_modes') %> +StrictModes <%= scope.lookupvar('::sshd::strict_modes') %> #MaxAuthTries 6 -RSAAuthentication <%= scope.lookupvar('sshd::rsa_authentication') %> -PubkeyAuthentication <%= scope.lookupvar('sshd::pubkey_authentication') %> -AuthorizedKeysFile <%= scope.lookupvar('sshd::authorized_keys_file') %> +RSAAuthentication <%= scope.lookupvar('::sshd::rsa_authentication') %> +PubkeyAuthentication <%= scope.lookupvar('::sshd::pubkey_authentication') %> +AuthorizedKeysFile <%= scope.lookupvar('::sshd::authorized_keys_file') %> #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -RhostsRSAAuthentication <%= scope.lookupvar('sshd::rhosts_rsa_authentication') %> +RhostsRSAAuthentication <%= scope.lookupvar('::sshd::rhosts_rsa_authentication') %> # similar for protocol version 2 -HostbasedAuthentication <%= scope.lookupvar('sshd::hostbased_authentication') %> +HostbasedAuthentication <%= scope.lookupvar('::sshd::hostbased_authentication') %> # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts <%= scope.lookupvar('sshd::ignore_rhosts') %> +IgnoreRhosts <%= scope.lookupvar('::sshd::ignore_rhosts') %> # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication <%= scope.lookupvar('sshd::password_authentication') %> +PasswordAuthentication <%= scope.lookupvar('::sshd::password_authentication') %> # To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords <%= scope.lookupvar('sshd::permit_empty_passwords') %> +PermitEmptyPasswords <%= scope.lookupvar('::sshd::permit_empty_passwords') %> # Change to no to disable s/key passwords -ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_authentication') %> +ChallengeResponseAuthentication <%= scope.lookupvar('::sshd::challenge_response_authentication') %> # Kerberos options #KerberosAuthentication no @@ -106,7 +106,7 @@ ChallengeResponseAuthentication <%= scope.lookupvar('sshd::challenge_response_au # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no -UsePAM <%= scope.lookupvar('sshd::use_pam') %> +UsePAM <%= scope.lookupvar('::sshd::use_pam') %> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES @@ -115,13 +115,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes -AllowTcpForwarding <%= scope.lookupvar('sshd::tcp_forwarding') %> +AllowTcpForwarding <%= scope.lookupvar('::sshd::tcp_forwarding') %> #GatewayPorts no #X11Forwarding no -X11Forwarding <%= scope.lookupvar('sshd::x11_forwarding') %> +X11Forwarding <%= scope.lookupvar('::sshd::x11_forwarding') %> #X11DisplayOffset 10 #X11UseLocalhost yes -PrintMotd <%= scope.lookupvar('sshd::print_motd') %> +PrintMotd <%= scope.lookupvar('::sshd::print_motd') %> #PrintLastLog yes #TCPKeepAlive yes #UseLogin no @@ -141,16 +141,16 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %> #Banner /some/path # override default of no subsystems -Subsystem sftp <%= (s=scope.lookupvar('sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> +Subsystem sftp <%= (s=scope.lookupvar('::sshd::sftp_subsystem')).empty? ? '/usr/libexec/openssh/sftp-server' : s %> -<% unless (s=scope.lookupvar('sshd::allowed_users')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_users')).empty? -%> AllowUsers <%= s %> <% end -%> -<% unless (s=scope.lookupvar('sshd::allowed_groups')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::allowed_groups')).empty? -%> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if scope.lookupvar('::sshd::hardened') == 'yes' -%> <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr @@ -167,6 +167,6 @@ MACs hmac-sha1 # AllowTcpForwarding no # ForceCommand cvs server # -<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> +<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> <%= s %> <% end -%> -- cgit v1.2.3