Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some minor version issues #144

Open
johnnybubonic opened this issue Jan 22, 2019 · 2 comments
Open

Some minor version issues #144

johnnybubonic opened this issue Jan 22, 2019 · 2 comments

Comments

@johnnybubonic
Copy link

johnnybubonic commented Jan 22, 2019
edited
Loading

Along with #98 (by the way, this isn't CentOS-specific; it's sshd-version specific. 6.5+ add ed25519 support, CentOS 6.10 is on OpenSSH 5.3), I have some other suggestions. Forgive me if they're present; I haven't read through all the mappings and such.

Note that these can be determined via something like {% set sshver = salt['pkg.version']('openssh-server').split('p')[0] | float %} in Jinja2 syntax (for CentOS; the 'openssh-server' should obviously be the actual package name). This conveniently lets you do things like:

{% if sshver > 6.5 %}
Option foo
{% else %}
OldOption bar
{% fi %}

I have a regex pattern that will also work on e.g. Sun's SSH if you'd like to make it even more flexible (though admittedly I haven't tested it on any of the BSDs).

That said, the inconsistencies I know of are:

  • AuthorizedKeysCommandUser is, prior to OpenSSH 6.2, known as AuthorizedKeysCommandRunAs (I'd just recommend changing the option name in the sshd_config perhaps?)
  • The "Secure Secure Shell" recommendations should probably be default. Here's a convenient list of supported Kex, Ciphers, etc. between CentOS 6.10 and 7.6 (OpenSSH 5.3 and OpenSSH 7.4 respectively):

CentOS 6:

| ssh2-enum-algos: 
|   kex_algorithms: (4)
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (13)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       [email protected]
|   mac_algorithms: (9)
|       hmac-md5
|       hmac-sha1
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-ripemd160
|       [email protected]
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      [email protected]

CentOS 7:

| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       curve25519-sha256
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-ed25519
|   encryption_algorithms: (12)
|       [email protected]
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       [email protected]
|       [email protected]
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|       blowfish-cbc
|       cast128-cbc
|       3des-cbc
|   mac_algorithms: (10)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      [email protected]

Which means, as per #26, the respective recommended defaults should then be:

CentOS 6:

  • KexAlgorithms diffie-hellman-group-exchange-sha256
  • Ciphers aes256-ctr,aes192-ctr,aes128-ctr
  • MACs hmac-sha2-512,hmac-sha2-256

CentOS 7:

Per @aboe76's concerns in #26 (comment), I have tested from both PuTTY and the built-in Windows SSH client (in Windows 10). All keys work as expected (PuTTY-generated RSA4096 and ED25519, Windows' ssh-keygen rsa with default options and ed25519 with default options; the RSA keys on both CentOS 6 and 7, the ED25519 keys on CentOS 7).
@alxwr
Copy link
Member

alxwr commented Feb 12, 2019

@johnnybubonic Thanks for this extensive lists!
In #117 and #102 we decided (after a lengthy discussion) against maintaining default values in this formula. It would be too much effort to keep up with the various distributions without breaking things.

Maybe we could move ready-to-use configuration into Pillar files. Those could easily be included in an existing setup. This way they would be opt-in without the need of further complicating the SLS templates.

@johnnybubonic
Copy link
Author

johnnybubonic commented Feb 13, 2019
edited
Loading

oh gotcha; sorry, i missed those decisions!

and good idea about the pillars. i was running into some circular condition depencies checking the ssh version with pkg.version, so i ended up just setting a conservative default version (5.9) and checking sshd directly:

import re
import socket

ssh_re = re.compile('^(SSH-2.0-(Open|Sun_)SSH_)([0-9]+\.[0-9]*).*$')

sock = socket.socket()
sock.settimeout(3)
sock.connect((server_ip, 22))
sshver = float(ssh_re.sub('\g<3>', sock.recv(64).decode('utf-8').strip()))

BUT if configuration was moved to pillars, then it'd definitely cut down on the logic needed in the actual states/templates (which would help with #148 too).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alxwr @johnnybubonic