Merge pull request #198 from artem-forks/ubuntu18

Avoid some deprecated options for OpenSSH >=7.6

Author: artem-sidorenko

libraries/devsec_ssh.rb

@@ -119,6 +119,13 @@ def get_server_kexs(enable_weak = false)
         get_crypto_data(:kexs, :server, enable_weak)
       end
 
+      { client: 'sshclient',
+        server: 'sshserver' }.each do |k, v|
+        define_method("get_ssh_#{k}_version") do
+          get_ssh_version(node['ssh-hardening'][v]['package'])
+        end
+      end
+
       private
 
       # :nocov:
@@ -170,13 +177,6 @@ def find_ssh_version(version, versions)
         found_ssh_version
       end
 
-      { client: 'sshclient',
-        server: 'sshserver' }.each do |k, v|
-        define_method("get_ssh_#{k}_version") do
-          get_ssh_version(node['ssh-hardening'][v]['package'])
-        end
-      end
-
       def get_ssh_version(package)
         version = node['packages'][package]['version']
         # on debian we get the epoch in front of version number: 1:7.2p2-4ubuntu2.1

recipes/client.rb

@@ -48,7 +48,8 @@
       {
         mac:     node['ssh-hardening']['ssh']['client']['mac']    || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']),
         kex:     node['ssh-hardening']['ssh']['client']['kex']    || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']),
-        cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required'])
+        cipher:  node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']),
+        version: DevSec::Ssh.get_ssh_client_version
       }
     end
   )

spec/libraries/devsec_ssh_spec.rb

@@ -195,20 +195,6 @@ def self.debug(*); end
     end
   end
 
-  describe 'get_ssh_server_version' do
-    it 'should call get_ssh_version with server package attribute' do
-      expect(subject).to receive(:get_ssh_version).with(package_name)
-      subject.send(:get_ssh_server_version)
-    end
-  end
-
-  describe 'get_ssh_client_version' do
-    it 'should call get_ssh_version with client package attribute' do
-      expect(subject).to receive(:get_ssh_version).with(package_name)
-      subject.send(:get_ssh_client_version)
-    end
-  end
-
   describe 'find_ssh_version' do
     context 'when it gets the valid ssh version' do
       it 'should return the next small version' do
@@ -314,4 +300,18 @@ def self.debug(*); end
       end
     end
   end
+
+  describe 'get_ssh_server_version' do
+    it 'should call get_ssh_version with server package attribute' do
+      expect(subject).to receive(:get_ssh_version).with(package_name)
+      subject.send(:get_ssh_server_version)
+    end
+  end
+
+  describe 'get_ssh_client_version' do
+    it 'should call get_ssh_version with client package attribute' do
+      expect(subject).to receive(:get_ssh_version).with(package_name)
+      subject.send(:get_ssh_client_version)
+    end
+  end
 end

spec/recipes/client_spec.rb

@@ -219,6 +219,26 @@
     end
   end
 
+  describe 'version specifc options' do
+    context 'running with OpenSSH < 7.6' do
+      it 'should have RhostsRSAAuthentication and RSAAuthentication' do
+        expect(chef_run).to render_file('/etc/ssh/ssh_config').with_content(/RhostsRSAAuthentication/)
+        expect(chef_run).to render_file('/etc/ssh/ssh_config').with_content(/RSAAuthentication/)
+      end
+    end
+
+    context 'running with OpenSSH >= 7.6 on Ubuntu 18.04' do
+      cached(:chef_run) do
+        ChefSpec::ServerRunner.new(version: '18.04').converge(described_recipe)
+      end
+
+      it 'should not have RhostsRSAAuthentication and RSAAuthentication' do
+        expect(chef_run).to_not render_file('/etc/ssh/ssh_config').with_content(/RhostsRSAAuthentication/)
+        expect(chef_run).to_not render_file('/etc/ssh/ssh_config').with_content(/RSAAuthentication/)
+      end
+    end
+  end
+
   context 'chef-solo' do
     cached(:chef_run) do
       ChefSpec::SoloRunner.new.converge(described_recipe)

templates/default/openssh.conf.erb

@@ -82,10 +82,13 @@ ForwardX11 no
 
 # Never use host-based authentication. It can be exploited.
 HostbasedAuthentication no
+
+<% if @version.to_f < 7.6 %>
 RhostsRSAAuthentication no
 
 # Enable RSA authentication via identity files.
 RSAAuthentication yes
+<% end %>
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication <%= ((@node['ssh-hardening']['ssh']['client']['password_authentication']) ? "yes" : "no" ) %>