Merge pull request #179 from dev-sec/remove_weak

rndmh3ro · web-flow · commit 4031d7cc1056 · 2018-09-16T14:43:28.000+02:00
update config of kex, macs, ciphers
diff --git a/README.md b/README.md
@@ -18,12 +18,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
 |`network_ipv6_enable` | false |true if IPv6 is needed|
-|`ssh_client_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
-|`ssh_server_cbc_required` | false |true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.|
-|`ssh_client_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
-|`ssh_server_weak_hmac` | false |true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.|
-|`ssh_client_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
-|`ssh_server_weak_kex` | false |true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.|
 |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
 |`ssh_client_port` | '22' |port to which ssh-client should connect|
 |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
@@ -76,6 +70,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
+|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
+|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
+|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
 
 ## Example Playbook
 
@@ -149,8 +146,6 @@ Always look into log files first and if possible look at the negotation between
 
 We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
 
-If you find this isn't enough, feel free to activate the attributes `cbc_requires` for ciphers, `weak_hmac` for MACs and `weak_kex`for KEX in the variables `ssh_client` or `ssh_server` based on where you want to support them.
-
 **After using the role Ansibles template/copy/file module does not work anymore!**
 
 This role by default deactivates SFTP. Ansible uses by default SFTP to transfer files to the remote hosts. You have to set `scp_if_ssh = True` in your ansible.cfg. This way Ansible uses SCP to copy files. Alternatively you can enable SFTP again by setting `sftp_enabled` to `true`.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -14,18 +14,6 @@ ssh_compression: false                  # sshd
 ssh_client_hardening: true          # ssh
 ssh_server_hardening: true          # sshd
 
-# true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.
-ssh_client_cbc_required: false          # ssh
-ssh_server_cbc_required: false          # sshd
-
-# true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.
-ssh_client_weak_hmac: false             # ssh
-ssh_server_weak_hmac: false             # sshd
-
-# true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.
-ssh_client_weak_kex: false              # ssh
-ssh_server_weak_kex: false              # sshd
-
 # If true, password login is allowed
 ssh_client_password_login: false          # ssh
 ssh_server_password_login: false          # sshd
@@ -184,8 +172,6 @@ ssh_macs_59_default:
   - hmac-sha2-256
   - hmac-ripemd160
 
-ssh_macs_59_weak: "{{ ssh_macs_59_default + ['hmac-sha1'] }}"
-
 ssh_macs_66_default:
   - hmac-sha2-512-etm@openssh.com
   - hmac-sha2-256-etm@openssh.com
@@ -200,15 +186,11 @@ ssh_macs_76_default:
   - hmac-sha2-512
   - hmac-sha2-256
 
-ssh_macs_66_weak: "{{ ssh_macs_66_default + ['hmac-sha1'] }}"
-
 ssh_ciphers_53_default:
   - aes256-ctr
   - aes192-ctr
   - aes128-ctr
 
-ssh_ciphers_53_weak: "{{ ssh_ciphers_53_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
-
 ssh_ciphers_66_default:
   - chacha20-poly1305@openssh.com
   - aes256-gcm@openssh.com
@@ -217,19 +199,13 @@ ssh_ciphers_66_default:
   - aes192-ctr
   - aes128-ctr
 
-ssh_ciphers_66_weak: "{{ ssh_ciphers_66_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"
-
 ssh_kex_59_default:
   - diffie-hellman-group-exchange-sha256
 
-ssh_kex_59_weak: "{{ ssh_kex_59_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
-
 ssh_kex_66_default:
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
 
-ssh_kex_66_weak: "{{ ssh_kex_66_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
-
 # directory where to store ssh_password policy
 ssh_custom_selinux_dir: '/etc/selinux/local-policies'
 
diff --git a/tasks/crypto.yml b/tasks/crypto.yml
@@ -17,26 +17,16 @@
 
 ###
 
-- name: set weak macs according to openssh-version if openssh >= 7.6
+- name: set macs according to openssh-version if openssh >= 7.6
   set_fact:
     ssh_macs: '{{ ssh_macs_76_default }}'
   when: sshd_version.stdout >= '7.6' and not ssh_macs
 
-- name: set weak macs according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_macs: '{{ ssh_macs_66_weak }}'
-  when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_macs
-
 - name: set macs according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_macs: '{{ ssh_macs_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_macs
 
-- name: set weak macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_59_weak }}'
-  when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_macs
-
 - name: set macs according to openssh-version
   set_fact:
     ssh_macs: '{{ ssh_macs_59_default }}'
@@ -47,50 +37,25 @@
     ssh_macs: '{{ ssh_macs_53_default }}'
   when: sshd_version.stdout >= '5.3' and not ssh_macs
 
-- name: set macs according to openssh-version
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_default }}'
-  when: sshd_version.stdout >= '5.3' and not ssh_macs
-
 ###
 
-- name: set weak ciphers according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_66_weak }}'
-  when: sshd_version.stdout >= '6.6' and ssh_server_cbc_required and not ssh_ciphers
-
 - name: set ciphers according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_ciphers: '{{ ssh_ciphers_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_ciphers
 
-- name: set weak ciphers according to openssh-version
-  set_fact:
-    ssh_ciphers: '{{ ssh_ciphers_53_weak }}'
-  when: sshd_version.stdout >= '5.3' and ssh_server_cbc_required and not ssh_ciphers
-
 - name: set ciphers according to openssh-version
   set_fact:
     ssh_ciphers: '{{ ssh_ciphers_53_default }}'
   when: sshd_version.stdout >= '5.3' and not ssh_ciphers
 
 ###
 
-- name: set weak kex according to openssh-version if openssh >= 6.6
-  set_fact:
-    ssh_kex: '{{ ssh_kex_66_weak }}'
-  when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_kex
-
 - name: set kex according to openssh-version if openssh >= 6.6
   set_fact:
     ssh_kex: '{{ ssh_kex_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_kex
 
-- name: set weak kex according to openssh-version
-  set_fact:
-    ssh_kex: '{{ ssh_kex_59_weak }}'
-  when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_kex
-
 - name: set kex according to openssh-version
   set_fact:
     ssh_kex: '{{ ssh_kex_59_default }}'
diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -29,8 +29,6 @@
     ssh_client_alive_interval: 100
     ssh_client_alive_count: 10
     ssh_client_password_login: true
-    ssh_client_cbc_required: true
-    ssh_client_weak_kex: true
     ssh_challengeresponseauthentication: true
     ssh_compression: true
     ssh_allow_users: 'root kitchen vagrant'
@@ -44,10 +42,9 @@
     ssh_print_last_log: true
     ssh_banner: true
     ssh_server_password_login: true
-    ssh_server_weak_hmac: true
     sftp_enabled: true
     sftp_chroot: true
-    ssh_server_enabled: false
+    #ssh_server_enabled: false
     ssh_server_match_group:
       - group: 'root'
         rules: 'AllowTcpForwarding yes'
@@ -68,3 +65,14 @@
     ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
     ssh_authorized_principals :
       - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
+    ssh_macs:
+      - hmac-sha2-512
+      - hmac-sha2-256
+    ssh_ciphers:
+      - aes256-ctr
+      - aes192-ctr
+      - aes128-ctr
+      - aes256-cbc
+    ssh_kex:
+      - diffie-hellman-group-exchange-sha256
+      - diffie-hellman-group-exchange-sha1
