From 43d61079498034ac0483f8a86d7087df40516dca Mon Sep 17 00:00:00 2001 From: Date: Wed, 19 Oct 2016 14:01:24 -0700 Subject: [PATCH] adding support for KexAlgorithms --- README.md | 12 +++++++++++ manifests/init.pp | 10 +++++++++ spec/classes/init_spec.rb | 44 +++++++++++++++++++++++++++++++++++++++ templates/ssh_config.erb | 3 +++ templates/sshd_config.erb | 3 +++ 5 files changed, 72 insertions(+) diff --git a/README.md b/README.md index f773f03..978f40a 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,12 @@ Array of ciphers to be used with the Ciphers option in ssh_config. - *Default*: undef +ssh_config_kexalgorithms +------------------ +Array of key exchange algorithms to be used with the KexAlgorithms option in ssh_config. + +- *Default*: undef + ssh_config_macs --------------- Array of ciphers to be used with the MACs option in ssh_config. @@ -448,6 +454,12 @@ Array of ciphers for the Ciphers setting in sshd_config. - *Default*: undef +sshd_config_kexalgorithms +------------------- +Array of key exchange algorithms for the KexAlgorithms setting in sshd_config. + +- *Default*: undef + sshd_config_macs ---------------- Array of macs for the MACs setting in sshd_config. diff --git a/manifests/init.pp b/manifests/init.pp index 4811efe..830bb3d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -23,6 +23,7 @@ class ssh ( $ssh_hostbasedauthentication = undef, $ssh_strict_host_key_checking = undef, $ssh_config_ciphers = undef, + $ssh_config_kexalgorithms = undef, $ssh_config_macs = undef, $ssh_config_use_roaming = 'USE_DEFAULTS', $ssh_config_template = 'ssh/ssh_config.erb', @@ -48,6 +49,7 @@ class ssh ( $sshd_config_serverkeybits = 'USE_DEFAULTS', $sshd_config_banner = 'none', $sshd_config_ciphers = undef, + $sshd_config_kexalgorithms = undef, $sshd_config_macs = undef, $ssh_enable_ssh_keysign = undef, $sshd_config_allowgroups = [], @@ -464,6 +466,14 @@ class ssh ( validate_array($sshd_config_ciphers) } + if $ssh_config_kexalgorithms != undef { + validate_array($ssh_config_kexalgorithms) + } + + if $sshd_config_kexalgorithms != undef { + validate_array($sshd_config_kexalgorithms) + } + if $ssh_config_macs != undef { validate_array($ssh_config_macs) } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 8bc96e8..02db828 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -320,6 +320,15 @@ describe 'ssh' do 'aes192-cbc', 'aes256-cbc', ], + :ssh_config_kexalgorithms => [ 'curve25519-sha256@libssh.org', + 'ecdh-sha2-nistp256', + 'ecdh-sha2-nistp384', + 'ecdh-sha2-nistp521', + 'diffie-hellman-group-exchange-sha256', + 'diffie-hellman-group-exchange-sha1', + 'diffie-hellman-group14-sha1', + 'diffie-hellman-group1-sha1', + ], :ssh_config_macs => [ 'hmac-md5-etm@openssh.com', 'hmac-sha1-etm@openssh.com', ], @@ -360,6 +369,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } it { should contain_file('ssh_config').with_content(/^ SendEnv XMODIFIERS$/) } it { should contain_file('ssh_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } + it { should contain_file('ssh_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) } it { should contain_file('ssh_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('ssh_config').with_content(/^\s*GlobalKnownHostsFile \/etc\/ssh\/ssh_known_hosts2 \/etc\/ssh\/ssh_known_hosts3 \/etc\/ssh\/ssh_known_hosts4$/) } it { should contain_file('ssh_config').with_content(/^\s*UserKnownHostsFile \.ssh\/known_hosts1 \.ssh\/known_hosts2$/) } @@ -412,6 +422,15 @@ describe 'ssh' do 'aes192-cbc', 'aes256-cbc', ], + :sshd_config_kexalgorithms => [ 'curve25519-sha256@libssh.org', + 'ecdh-sha2-nistp256', + 'ecdh-sha2-nistp384', + 'ecdh-sha2-nistp521', + 'diffie-hellman-group-exchange-sha256', + 'diffie-hellman-group-exchange-sha1', + 'diffie-hellman-group14-sha1', + 'diffie-hellman-group1-sha1', + ], :sshd_config_macs => [ 'hmac-md5-etm@openssh.com', 'hmac-sha1-etm@openssh.com', ], @@ -491,6 +510,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^ForceCommand \/force\/command --with-parameter 242$/) } it { should contain_file('sshd_config').with_content(/^Match User JohnDoe\n AllowTcpForwarding yes\Z/) } it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) } + it { should contain_file('sshd_config').with_content(/^\s*KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1$/) } it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) } it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) } it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) } @@ -746,6 +766,18 @@ describe 'ssh' do end end + [true,'invalid'].each do |kexalgorithms| + context "with ssh_config_kexalgorithms set to invalid value #{kexalgorithms}" do + let(:params) { { :ssh_config_kexalgorithms => kexalgorithms } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + [true,'invalid'].each do |macs| context "with ssh_config_macs set to invalid value #{macs}" do let(:params) { { :ssh_config_macs => macs } } @@ -780,6 +812,18 @@ describe 'ssh' do end end + [true,'invalid'].each do |kexalgorithms| + context "with sshd_config_kexalgorithms set to invalid value #{kexalgorithms}" do + let(:params) { { :sshd_config_kexalgorithms => kexalgorithms } } + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error) + end + end + end + [true,'invalid'].each do |denyusers| context "with sshd_config_denyusers set to invalid value #{denyusers}" do let(:params) { { :sshd_config_denyusers => denyusers } } diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index ced3f41..7c58bab 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -49,6 +49,9 @@ <% if @ssh_config_ciphers -%> Ciphers <%= @ssh_config_ciphers.join(',') %> <% end -%> +<% if @ssh_config_kexalgorithms -%> + KexAlgorithms <%= @ssh_config_kexalgorithms.join(',') %> +<% end -%> # EscapeChar ~ # Tunnel no # TunnelDevice any:any diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 313581c..9481601 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -219,6 +219,9 @@ Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> <% if @sshd_config_ciphers -%> Ciphers <%= @sshd_config_ciphers.join(',') %> <% end -%> +<% if @sshd_config_kexalgorithms -%> +KexAlgorithms <%= @sshd_config_kexalgorithms.join(',') %> +<% end -%> <% if @sshd_config_macs -%> MACs <%= @sshd_config_macs.join(',') %> <% end -%>