Add node attributes to override KEX, MAC and cipher values

There's advice available on preferred choices of key exchange, message authentication and ciphers from a number of sources [1][2][3], all of which don't _entirely_ agree with each other, and then there's the hardcoded selection of Kex, MAC and ciphers encoded in this cookbook. After initial discussions around this change with @chris-rock and @artem-sideorenko, there may be follow-on changes to the hardcoded selections this cookbook generates, however that's a topic for future discussion and PRs. There is likely to be more complexity and balancing of features/security to consider plus the future changes of refactors in this cookbook, so initially, I'd just like a way of overriding the generated defaults. Note that `node['ssh'][{'client', 'server'}][{'weak_hmac', 'weak_kex', 'cbc_required'}}` are all ignored if these overrides are used, as the user is supplying their preferred choices, rather than relying on the cookbook's generated strings. [1] https://github.com/arthepsy/ssh-audit [2] https://wiki.mozilla.org/Security/Guidelines/OpenSSH [3] https://stribika.github.io/2015/01/04/secure-secure-shell.html
dev-sec · Dec 14, 2016 · 35c2be2 · 35c2be2
1 parent 0fa0082
commit 35c2be2
Showing 4 changed files with 15 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,9 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 ## Attributes
 
 * `['network']['ipv6']['enable']` - true if IPv6 is needed
+* `['ssh'][{'client', 'server'}]['kex']` - nil to calculate best key-exchange (KEX) based on server version, otherwise specify a string of Kex values
+* `['ssh'][{'client', 'server'}]['mac']` - nil to calculate best Message Authentication Codes (MACs) based on server version, otherwise specify a string of Mac values
+* `['ssh'][{'client', 'server'}]['cipher']` - nil to calculate best ciphers based on server version, otherwise specify a string of Cipher values
 * `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
 * `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
 * `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -48,6 +48,12 @@
 
 default['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
 default['network']['ipv6']['enable']      = false   # sshd + ssh
+default['ssh']['server']['kex']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['mac']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['cipher']        = nil     # nil = calculate best combination for server version
+default['ssh']['client']['kex']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['mac']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['cipher']        = nil     # nil = calculate best combination for client
 default['ssh']['client']['cbc_required']  = false   # ssh
 default['ssh']['server']['cbc_required']  = false   # sshd
 default['ssh']['client']['weak_hmac']     = false   # ssh

diff --git a/recipes/client.rb b/recipes/client.rb
@@ -62,9 +62,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: DevSec::Ssh.get_client_macs(node['ssh']['client']['weak_hmac']),
-    kex: DevSec::Ssh.get_client_kexs(node['ssh']['client']['weak_kex']),
-    cipher: DevSec::Ssh.get_client_ciphers(node['ssh']['client']['cbc_required']),
+    mac:     node['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh']['client']['weak_hmac']),
+    kex:     node['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh']['client']['weak_kex']),
+    cipher:  node['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh']['client']['cbc_required']),
     roaming: node['ssh']['client']['roaming']
   )
 end
diff --git a/recipes/server.rb b/recipes/server.rb
@@ -92,9 +92,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: DevSec::Ssh.get_server_macs(node['ssh']['server']['weak_hmac']),
-    kex: DevSec::Ssh.get_server_kexs(node['ssh']['server']['weak_kex']),
-    cipher: DevSec::Ssh.get_server_ciphers(node['ssh']['server']['cbc_required']),
+    mac:    node['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh']['server']['weak_hmac']),
+    kex:    node['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh']['server']['weak_kex']),
+    cipher: node['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh']['server']['cbc_required']),
     use_priv_sep: node['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
     deny_users: node['ssh']['deny_users'],
     allow_users: node['ssh']['allow_users'],