Add node attributes to override KEX, MAC and cipher values

There's advice available on preferred choices of key exchange, message
authentication and ciphers from a number of sources [1][2][3], all of
which don't _entirely_ agree with each other, and then there's the
hardcoded selection of Kex, MAC and ciphers encoded in this cookbook.

At the time of committing, there is a refactor going on to simplify kex
and cipher handling:
#134

Even in that refactor, hmac-ripemd160 MACs, which have been removed in
OpenSSH 6.7 (and hence flagged by ssh-audit[1] and are absent from
Mozilla's recommendations[2] for modern sshd, yet are still recommended
by secure secure shell[3]) are included in the default MAC list.

Likewise hmac-sha2-256 and hmac-sha2-512 are flagged by ssh-audit[1] as
they are encrypt-and-MAC, which has a number of issues, discussed in
secure secure shell[3].

There is likely to be more complexity and balancing of features/security
to consider plus the future changes of refactors in this cookbook, so
initially, I'd just like a way of overriding the generated defaults.

[1] https://github.com/arthepsy/ssh-audit
[2] https://wiki.mozilla.org/Security/Guidelines/OpenSSH
[3] https://stribika.github.io/2015/01/04/secure-secure-shell.html

Author: bazbremner

README.md

@@ -28,6 +28,9 @@ This cookbook provides secure ssh-client and ssh-server configurations.
 ## Attributes
 
 * `['network']['ipv6']['enable']` - true if IPv6 is needed
+* `['ssh'][{'client', 'server'}]['kex']` - nil to calculate best key-exchange (KEX) based on server version, otherwise specify a string of Kex values
+* `['ssh'][{'client', 'server'}]['mac']` - nil to calculate best Message Authentication Codes (MACs) based on server version, otherwise specify a string of Mac values
+* `['ssh'][{'client', 'server'}]['cipher']` - nil to calculate best ciphers based on server version, otherwise specify a string of Cipher values
 * `['ssh'][{'client', 'server'}]['cbc_required']` - true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
 * `['ssh'][{'client', 'server'}]['weak_hmac']` - true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
 * `['ssh'][{'client', 'server'}]['weak_kex']` - true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.

attributes/default.rb

@@ -48,6 +48,12 @@
 
 default['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
 default['network']['ipv6']['enable']      = false   # sshd + ssh
+default['ssh']['server']['kex']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['mac']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['cipher']        = nil     # nil = calculate best combination for server version
+default['ssh']['client']['kex']           = nil     # nil = calculate best combination for client
+default['ssh']['server']['mac']           = nil     # nil = calculate best combination for server version
+default['ssh']['client']['cipher']        = nil     # nil = calculate best combination for client
 default['ssh']['client']['cbc_required']  = false   # ssh
 default['ssh']['server']['cbc_required']  = false   # sshd
 default['ssh']['client']['weak_hmac']     = false   # ssh

recipes/client.rb

@@ -62,9 +62,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: SshMac.get_macs(node, node['ssh']['client']['weak_hmac']),
-    kex: SshKex.get_kexs(node, node['ssh']['client']['weak_kex']),
-    cipher: SshCipher.get_ciphers(node, node['ssh']['client']['cbc_required']),
+    mac:     node['ssh']['client']['mac']    || SshMac.get_macs(node, node['ssh']['client']['weak_hmac']),
+    kex:     node['ssh']['client']['kex']    || SshKex.get_kexs(node, node['ssh']['client']['weak_kex']),
+    cipher:  node['ssh']['client']['cipher'] || SshCipher.get_ciphers(node, node['ssh']['client']['cbc_required']),
     roaming: node['ssh']['client']['roaming']
   )
 end

recipes/server.rb

@@ -92,9 +92,9 @@
   owner 'root'
   group 'root'
   variables(
-    mac: SshMac.get_macs(node, node['ssh']['server']['weak_hmac']),
-    kex: SshKex.get_kexs(node, node['ssh']['server']['weak_kex']),
-    cipher: SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required']),
+    mac:    node['ssh']['server']['mac']    || SshMac.get_macs(node, node['ssh']['server']['weak_hmac']),
+    kex:    node['ssh']['server']['kex']    || SshKex.get_kexs(node, node['ssh']['server']['weak_kex']),
+    cipher: node['ssh']['server']['cipher'] || SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required']),
     use_priv_sep: node['ssh']['use_privilege_separation'] || UsePrivilegeSeparation.get(node),
     deny_users: node['ssh']['deny_users'],
     allow_users: node['ssh']['allow_users'],