add basic support for Ubuntu 22

[schurzi]

This adds basic support for Ubuntu 22. I have not checked if there are newer (better) supported ciphers. I assume, the slightly older ones are still ok for a first update. Currently this control fails on Ubuntu 22 after hardening with our Ansible Collection is applied.

Signed-off-by: Martin Schurz [email protected]

[micheelengronne]

For me it seems correct.

[rndmh3ro]

I just checked the differences for defaults MACs, Kex and Ciphers between Ubuntu 18, 20 and 22.

We should probably add some new variables for the different ssh-versions, add the defaults and then substracts known weak ciphers (if needed). @schurzi what do you think?

ssh-versions:
18: 7.6
20: 8.2
22: 8.9

22
[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1

20
[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1

18
[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1


22
curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

20
curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256


18
curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1


22
[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

20
[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

18
[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

[schurzi]

Thanks for compiling the lists @rndmh3ro. I have checked them with our Ansible Collection, a Test VM and at CIS Benchmark. If I account for insecure settings, almost all lists are identical.

We currently do our checks based on some specific key versions of OpenSSH, every time there is a substantial new algorithm we want to support we create a new variable and extend our logic in the library. Currently I do not see the need to introduce a new variable for 8.9, the settings from 8.5 still seem applicable.

Regarding your thoughts, I think I am in favor of rewriting our checks to a version based approach. I also think I want to reverse the function logic. But I kind of want to handle this in a separate Issue/PR.

[schurzi]

opened new issue #205 for that