ssh-baseline
ssh-baseline copied to clipboard
dev-sec
ssh 5.3 on CentOS 6 supports macs59
Describe the bug
Currently is defined that ssh on CentOS 6 supports only macs from macs53 list. With this settings it's impossible to connect by ssh from CentOS 6 to a server with CentOS 7 -- you can see it, when you compare lists macs53 and macs66.
Expected behavior
In man sshd_config with openssh v. 5.3p1-104.el6_6.1 you can see:
MACs Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is: hmac-md5,hmac-sha1,[email protected], hmac-ripemd160,hmac-sha1-96,hmac-md5-96, hmac-sha2-256,hmac-sha2-512
So macs from macs59 list are supported and could be used.
Actual behavior
Only macs from macs53 list are allowed.
OS / Environment CentOS 6, openssh 5.3p1-104.el6_6.1
@wojciech-kopras Thank you for your report. You observe an interesting point where the baseline is only doing an openssh version guess. We should implement a proper openssh version detection and fallback to os-based guessing only if the openssh version could not be determined.
We implemented a similar logic in https://github.com/dev-sec/chef-ssh-hardening/blob/master/libraries/devsec_ssh.rb#L194-L205
Any help is welcome to make this happen.
@chris-rock my new colleague wanted to contribute that, hopefully we will get this in the next time:-)
Because of RedHat's backports policy probably there is no other way than conditional assigning of values.
@wojciech-kopras do you maybe know if this support was backported by RH at some point or if it's/was a problem on our side for a long time?
I don't know. I have noticed that, when I deployed ansible role for ssh and had to solve some connection issues.