search

saz / puppet-ssh

Puppet module to manage ssh server and client
http://forge.puppetlabs.com/saz/ssh
Other
123 stars 236 forks source link

Add support for crypto-policies #292

Open dhoppe opened 4 years ago

dhoppe commented 4 years ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

---
ssh::server_options:
  Ciphers: 'chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com'
  MACs: 'umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512'
  KexAlgorithms: 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
  HostKeyAlgorithms: 'ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa'

What are you seeing

The configuration has been changed, but has no effect at all.

What behaviour did you expect instead

The OpenSSH server should not use weak algorithms.

Any additional information you'd like to impart

[root@centos8 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-20 11:52:26 CEST; 42s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 11449 (sshd)
    Tasks: 1 (limit: 12224)
   Memory: 1.1M
   CGroup: /system.slice/sshd.service
           └─11449 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.>

Apr 20 11:52:26 centos8 systemd[1]: Starting OpenSSH server daemon...
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on 0.0.0.0 port 22.
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on :: port 22.
Apr 20 11:52:26 centos8 systemd[1]: Started OpenSSH server daemon.
[root@centos8 ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target

[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
[root@centos8 ~]# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
dhoppe commented 4 years ago

I am not sure if this module should be able to configure /etc/crypto-policies/back-ends/opensshserver.config or just add the module camptocamp/puppet-systemd to get rid of the variable $CRYPTO_POLICY.

saz commented 4 years ago

Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies the proper way of opting out of system-wide crypto policies is to set CRYPTO_POLICIES in /etc/sysconfig/sshd

As far as I can see, system-wide crypto policies started from RedHat 8 on.

saz commented 4 years ago

@dhoppe Can you check and confirm that, before I start working on this?

dhoppe commented 4 years ago

I already did. If I comment out the entry in /etc/sysconfig/sshd, the values from /etc/ssh/sshd_config are applied correctly.

zeekus commented 4 years ago

There is another way to turn off crypto polices if removing the CRYPTO_POLICY in the " /usr/lib/systemd/system/sshd.service" doesn't work.

It appears the crypto polices are loaded from a file called: "/etc/ssh/ssh_config.d/05-redhat.conf" which is new with Centos8.

It seems the line "include /etc/crypto-policies/back-ends/openssh.conf" overrides the settings in /etc/ssh/sshd_config.

Commenting the line seems to prevent the system cyrpto policies from being applied.

saz commented 5 months ago

I'm no CentOS expert at all, but I'm happy to accept any PR or comment with the proper way to handle this issue :-)

nvergottini commented 4 months ago

I would disagree that this module should manage crypto policies on EL8+. The file /etc/crypto-policies/back-ends/openssh.conf is managed by update-crypto-policies command, so this module should not modify it, and managing crypto policies in general affects more than just openssh, so it is really beyond the scope of what this module should do.

What this module should not do is break the mechanism used to manage openssh crypto policies on EL8+, which is what has happened on EL9 when managing openssh server crypto policies (and I assume openssh client crypto policies on EL8). I submitted pull request #390 to address the issue with EL9 and openssh server crypto policies.

saz commented 1 month ago

I've merged #390. Please let me know, if this resolves the issue and if something's still missing.