Merge branch 'enhance_hardened' into 'master'

Enhance hardened

This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible

See merge request !10

README.md

@@ -4,6 +4,10 @@
 
 This puppet module manages OpenSSH configuration and services.
 
+**!! Upgrade Notice (05/2015) !!**
+
+The hardened_ssl parameter name was changed to simply 'hardened'.
+
 **!! Upgrade Notice (01/2013) !!**
 
 This module now uses parameterized classes, where it used global variables
@@ -179,8 +183,8 @@ The following is a list of the currently available variables:
     Set this to the location of the AuthorizedKeysFile
     (e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile
     %h/.ssh/authorized_keys`
-  - `hardened_ssl`
-    Use only strong SSL ciphers and MAC.
+  - `hardened`
+    Use only strong ciphers, MAC, KexAlgorithms, etc.
     Values:
     - `no` (default)
     - `yes`

manifests/init.pp

@@ -40,7 +40,7 @@ class sshd(
     OpenBSD => '%h/.ssh/authorized_keys',
     default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
   },
-  $hardened_ssl = 'no',
+  $hardened = 'no',
   $sftp_subsystem = '',
   $head_additional_options = '',
   $tail_additional_options = '',

templates/sshd_config/CentOS_6.erb

@@ -150,10 +150,16 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs

templates/sshd_config/CentOS_7.erb

@@ -164,10 +164,16 @@ AllowGroups <%= s %>
 #Host *.local
 #  CheckHostIP no
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs

templates/sshd_config/Debian_jessie.erb

@@ -111,9 +111,10 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>

templates/sshd_config/Debian_sid.erb

@@ -111,9 +111,10 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>

templates/sshd_config/Debian_squeeze.erb

@@ -115,7 +115,7 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

templates/sshd_config/Debian_wheezy.erb

@@ -114,10 +114,16 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>

templates/sshd_config/FreeBSD.erb

@@ -152,10 +152,16 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>

templates/sshd_config/Gentoo.erb

@@ -147,10 +147,16 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>

templates/sshd_config/OpenBSD.erb

@@ -128,10 +128,16 @@ AllowGroups <%= s %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>

templates/sshd_config/Ubuntu.erb

@@ -115,10 +115,16 @@ AllowUsers <%= s %>
 AllowGroups <%= s %>
 <%- end -%>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>

templates/sshd_config/Ubuntu_lucid.erb

@@ -118,10 +118,16 @@ AllowGroups <%= s %>
 
 PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>