Add node attributes to override KEX, MAC and cipher values

There's advice available on preferred choices of key exchange, message
authentication and ciphers from a number of sources [1][2][3], all of
which don't _entirely_ agree with each other, and then there's the
hardcoded selection of Kex, MAC and ciphers encoded in this cookbook.

After initial discussions around this change with @chris-rock and
@artem-sideorenko, there may be follow-on changes to the hardcoded
selections this cookbook generates, however that's a topic for future
discussion and PRs.

There is likely to be more complexity and balancing of features/security
to consider plus the future changes of refactors in this cookbook, so
initially, I'd just like a way of overriding the generated defaults.

Note that `node['ssh'][{'client', 'server'}][{'weak_hmac', 'weak_kex',
'cbc_required'}}` are all ignored if these overrides are used, as the
user is supplying their preferred choices, rather than relying on the
cookbook's generated strings.

[1] https://github.com/arthepsy/ssh-audit
[2] https://wiki.mozilla.org/Security/Guidelines/OpenSSH
[3] https://stribika.github.io/2015/01/04/secure-secure-shell.html

Author: bazbremner

README.md

@@ -28,6 +28,9 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 ## Attributes
 
 * `['network']['ipv6']['enable']` - true if IPv6 is needed
+* `['ssh'][{'client', 'server'}]['kex']` - nil to calculate best key-exchange (KEX) based on server version, otherwise specify a string of Kex values
+* `['ssh'][{'client', 'server'}]['mac']` - nil to calculate best Message Authentication Codes (MACs) based on server version, otherwise specify a string of Mac values
+* `['ssh'][{'client', 'server'}]['cipher']` - nil to calculate best ciphers based on server version, otherwise specify a string of Cipher values
 * `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
 * `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
 * `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.

attributes/default.rb

@@ -48,6 +48,12 @@
 
 default['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
 default['network']['ipv6']['enable']      = false   # sshd + ssh
+default['ssh']['server']['kex']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['mac']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['cipher']        = nil     # nil = calculate best combination for server version
+default['ssh']['client']['kex']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['mac']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['cipher']        = nil     # nil = calculate best combination for client
 default['ssh']['client']['cbc_required']  = false   # ssh
 default['ssh']['server']['cbc_required']  = false   # sshd
 default['ssh']['client']['weak_hmac']     = false   # ssh

recipes/client.rb

@@ -62,9 +62,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: DevSec::Ssh.get_client_macs(node['ssh']['client']['weak_hmac']),
-    kex: DevSec::Ssh.get_client_kexs(node['ssh']['client']['weak_kex']),
-    cipher: DevSec::Ssh.get_client_ciphers(node['ssh']['client']['cbc_required']),
+    mac:     node['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh']['client']['weak_hmac']),
+    kex:     node['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh']['client']['weak_kex']),
+    cipher:  node['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh']['client']['cbc_required']),
     roaming: node['ssh']['client']['roaming']
   )
 end

recipes/server.rb

@@ -92,9 +92,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: DevSec::Ssh.get_server_macs(node['ssh']['server']['weak_hmac']),
-    kex: DevSec::Ssh.get_server_kexs(node['ssh']['server']['weak_kex']),
-    cipher: DevSec::Ssh.get_server_ciphers(node['ssh']['server']['cbc_required']),
+    mac:    node['ssh']['server']['mac']    || DevSec::Ssh.get_server_macs(node['ssh']['server']['weak_hmac']),
+    kex:    node['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh']['server']['weak_kex']),
+    cipher: node['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh']['server']['cbc_required']),
     use_priv_sep: node['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
     deny_users: node['ssh']['deny_users'],
     allow_users: node['ssh']['allow_users'],