Algo selection should be based on SSH version, not OS release

[bernhardschmidt]

The current approach to select Cipher/Kex/MAC based on the distribution name and the OS release is not very good. It does not account for

• OS release's default version and running version getting out-of-sync (i.e. during dist-upgrade or when using backports)
• OSes changing OpenSSH releases during a major release (i.e. the upcoming SLES 11SP4)
• OSes or versions not known to the module

saz/ssh ships a facter plugin to retrieve the ssh server version. This should be a lot better.

# facter -p | grep ssh_server_version
ssh_server_version_full => 6.7p1
ssh_server_version_major => 6.7
ssh_server_version_release => 6.7

[artem-sidorenko]

@bernhardschmidt @pookey many thanks for raising this issues!

You are totally right, this was already changed in chef-ssh-hardening and it's currently work-in-progress in ssh-baseline.

We lack on the maintenance resources, especially in the puppet area. @mcgege is the only person right now in this area, so puppet-ssh-hardening puppet-ssh-hardening isn't getting the same amount of love as other parts of dev-sec.io.

If you have a possibility and the time to support us and give some maintenance work and love to the puppet area - it would be amazing!