Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for crypto-policies #292

Open
dhoppe opened this issue Apr 20, 2020 · 8 comments
Open

Add support for crypto-policies #292

dhoppe opened this issue Apr 20, 2020 · 8 comments

Comments

@dhoppe
Copy link

dhoppe commented Apr 20, 2020

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 6.14.0
  • Ruby: 2.5.7p206
  • Distribution: CentOS 8
  • Module version: v6.1.0

How to reproduce (e.g Puppet code you use)

---
ssh::server_options:
  Ciphers: '[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]'
  MACs: '[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512'
  KexAlgorithms: 'curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
  HostKeyAlgorithms: '[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa'

What are you seeing

The configuration has been changed, but has no effect at all.

What behaviour did you expect instead

The OpenSSH server should not use weak algorithms.

Any additional information you'd like to impart

[root@centos8 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-20 11:52:26 CEST; 42s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 11449 (sshd)
    Tasks: 1 (limit: 12224)
   Memory: 1.1M
   CGroup: /system.slice/sshd.service
           └─11449 /usr/sbin/sshd -D [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],hmac-sha1-etm@openssh.>

Apr 20 11:52:26 centos8 systemd[1]: Starting OpenSSH server daemon...
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on 0.0.0.0 port 22.
Apr 20 11:52:26 centos8 sshd[11449]: Server listening on :: port 22.
Apr 20 11:52:26 centos8 systemd[1]: Started OpenSSH server daemon.

[root@centos8 ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target

[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

[root@centos8 ~]# cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=rsa-sha2-256,[email protected],ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],rsa-sha2-512,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
@dhoppe
Copy link
Author

dhoppe commented Apr 20, 2020

I am not sure if this module should be able to configure /etc/crypto-policies/back-ends/opensshserver.config or just add the module camptocamp/puppet-systemd to get rid of the variable $CRYPTO_POLICY.

@saz
Copy link
Owner

saz commented May 9, 2020

Looking at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies the proper way of opting out of system-wide crypto policies is to set CRYPTO_POLICIES in /etc/sysconfig/sshd

As far as I can see, system-wide crypto policies started from RedHat 8 on.

@saz
Copy link
Owner

saz commented May 11, 2020

@dhoppe Can you check and confirm that, before I start working on this?

@dhoppe
Copy link
Author

dhoppe commented May 11, 2020

I already did. If I comment out the entry in /etc/sysconfig/sshd, the values from /etc/ssh/sshd_config are applied correctly.

@zeekus
Copy link

zeekus commented Jul 30, 2020

There is another way to turn off crypto polices if removing the CRYPTO_POLICY in the " /usr/lib/systemd/system/sshd.service" doesn't work.

It appears the crypto polices are loaded from a file called: "/etc/ssh/ssh_config.d/05-redhat.conf" which is new with Centos8.

It seems the line "include /etc/crypto-policies/back-ends/openssh.conf" overrides the settings in /etc/ssh/sshd_config.

Commenting the line seems to prevent the system cyrpto policies from being applied.

@saz
Copy link
Owner

saz commented May 23, 2024

I'm no CentOS expert at all, but I'm happy to accept any PR or comment with the proper way to handle this issue :-)

@nvergottini
Copy link
Contributor

I would disagree that this module should manage crypto policies on EL8+. The file /etc/crypto-policies/back-ends/openssh.conf is managed by update-crypto-policies command, so this module should not modify it, and managing crypto policies in general affects more than just openssh, so it is really beyond the scope of what this module should do.

What this module should not do is break the mechanism used to manage openssh crypto policies on EL8+, which is what has happened on EL9 when managing openssh server crypto policies (and I assume openssh client crypto policies on EL8). I submitted pull request #390 to address the issue with EL9 and openssh server crypto policies.

@saz
Copy link
Owner

saz commented Oct 15, 2024

I've merged #390. Please let me know, if this resolves the issue and if something's still missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@saz @dhoppe @nvergottini @zeekus