Use SHA2 HMACs in OpenSSH for RHEL family 6.5+ (#146)

* Use SHA2 HMACs in OpenSSH for RHEL family 6.5+ Signed-off-by: Jason McNew <[email protected]> * Since 6.x is no longer in EUS, use latest 6.x compatible config as baseline. Signed-off-by: Jason McNew <[email protected]> * Explain why older RHEL6 HMACs are not recommended. Signed-off-by: Jason McNew <[email protected]>
dev-sec · Apr 6, 2020 · 7f15d47 · 7f15d47
1 parent b3abc52
commit 7f15d47
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -23,4 +23,4 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Max: 10
 Metrics/AbcSize:
-  Max: 30
+  Max: 31
diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb
@@ -130,6 +130,7 @@ def valid_macs # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLen
     macs66 = '[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256'
     macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
     macs53 = 'hmac-ripemd160,hmac-sha1'
+    macs53_el65 = 'hmac-sha2-512,hmac-sha2-256'
     macs = macs59
 
     # adjust MACs based on OS + release
@@ -153,7 +154,12 @@ def valid_macs # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLen
     when 'redhat', 'centos', 'oracle'
       case inspec.os[:release]
       when /^6\./
-        macs = macs53
+        # RedHat Enterprise Linux (and family) backported SHA2 support to their fork of OpenSSH 5.3 in RHEL 6.5.
+        # See BZ#969565 at:
+        # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/6.5_technical_notes/index#openssh
+        # Because extended support (EUS) updates for 6.x minor releases is no longer available,
+        # only the settings available for the supported (latest) 6.x release are recommended.
+        macs = macs53_el65
       when /^7\./, /^8\./
         macs = macs66
       end