saz
Add support for crypto-policies
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 6.14.0
- Ruby: 2.5.7p206
- Distribution: CentOS 8
- Module version: v6.1.0
How to reproduce (e.g Puppet code you use)
---
ssh::server_options:
Ciphers: '[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]'
MACs: '[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512'
KexAlgorithms: 'curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
HostKeyAlgorithms: '[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa'
What are you seeing
The configuration has been changed, but has no effect at all.
What behaviour did you expect instead
The OpenSSH server should not use weak algorithms.
Any additional information you'd like to impart
[root@centos8 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-04-20 11:52:26 CEST; 42s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 11449 (sshd)
Tasks: 1 (limit: 12224)
Memory: 1.1M
CGroup: /system.slice/sshd.service
└─11449 /usr/sbin/sshd -D [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],hmac-sha1-etm@openssh.>
Apr 20 11:52:26 centos8 systemd[1]: Starting OpenSSH server daemon...
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on 0.0.0.0 port 22.
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on :: port 22.
Apr 20 11:52:26 centos8 systemd[1]: Started OpenSSH server daemon.
[root@centos8 ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target
[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
[root@centos8 ~]# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
I am not sure if this module should be able to configure /etc/crypto-policies/back-ends/opensshserver.config or just add the module camptocamp/puppet-systemd to get rid of the variable $CRYPTO_POLICY.
Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies the proper way of opting out of system-wide crypto policies is to set CRYPTO_POLICIES in /etc/sysconfig/sshd
As far as I can see, system-wide crypto policies started from RedHat 8 on.
I already did. If I comment out the entry in /etc/sysconfig/sshd, the values from /etc/ssh/sshd_config are applied correctly.
There is another way to turn off crypto polices if removing the CRYPTO_POLICY in the " /usr/lib/systemd/system/sshd.service" doesn't work.
It appears the crypto polices are loaded from a file called: "/etc/ssh/ssh_config.d/05-redhat.conf" which is new with Centos8.
It seems the line "include /etc/crypto-policies/back-ends/openssh.conf" overrides the settings in /etc/ssh/sshd_config.
Commenting the line seems to prevent the system cyrpto policies from being applied.
I'm no CentOS expert at all, but I'm happy to accept any PR or comment with the proper way to handle this issue :-)
I would disagree that this module should manage crypto policies on EL8+. The file /etc/crypto-policies/back-ends/openssh.conf is managed by update-crypto-policies command, so this module should not modify it, and managing crypto policies in general affects more than just openssh, so it is really beyond the scope of what this module should do.
What this module should not do is break the mechanism used to manage openssh crypto policies on EL8+, which is what has happened on EL9 when managing openssh server crypto policies (and I assume openssh client crypto policies on EL8). I submitted pull request #390 to address the issue with EL9 and openssh server crypto policies.
