Merge pull request #72 from TelekomLabs/priv-sep-sandbox

chris-rock · chris-rock · commit 31b8fb7e4da6 · 2015-02-06T10:02:49.000+01:00
add privilege separation via sandbox mode for ssh &gt;= 5.9
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -59,3 +59,5 @@
 default['ssh']['allow_tcp_forwarding']    = false   # sshd
 default['ssh']['allow_agent_forwarding']  = false   # sshd
 default['ssh']['use_pam']                 = false   # sshd
+# set this to nil to let us detect the attribute based on the node platform
+default['ssh']['use_privilege_separation'] = nil
diff --git a/libraries/use_privilege_separation.rb b/libraries/use_privilege_separation.rb
@@ -0,0 +1,46 @@
+# encoding: utf-8
+#
+# Cookbook Name:: ssh-hardening
+# Library:: use_privilege_separation
+#
+# Copyright 2015, Dominik Richter
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class Recipe
+    class UsePrivilegeSeparation
+      def self.get(node)
+        # define cipher set
+        ps53 = 'yes'
+        ps59 = 'sandbox'
+        ps = ps59
+
+        # ubuntu 12.04 and newer has ssh 5.9+
+
+        # redhat/centos/oracle 6.x has ssh 5.3
+        if node['platform_family'] == 'rhel'
+          ps = ps53
+
+        # debian 7.x and newer has ssh 5.9+
+        elsif node['platform'] == 'debian' && node['platform_version'].to_f <= 6
+          ps = ps53
+        end
+
+        Chef::Log.info("UsePrivilegeSeparation: #{ps}")
+        ps
+      end
+    end
+  end
+end
diff --git a/recipes/server.rb b/recipes/server.rb
@@ -92,7 +92,8 @@
   variables(
     mac: SshMac.get_macs(node, node['ssh']['server']['weak_hmac']),
     kex: SshKex.get_kexs(node, node['ssh']['server']['weak_kex']),
-    cipher: SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required'])
+    cipher: SshCipher.get_ciphers(node, node['ssh']['server']['cbc_required']),
+    use_priv_sep: node['ssh']['use_privilege_separation'] || UsePrivilegeSeparation.get(node)
   )
   notifies :restart, 'service[sshd]'
 end
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
@@ -86,7 +86,7 @@ KexAlgorithms <%= @kex %>
 
 # Secure Login directives.
 UseLogin no
-UsePrivilegeSeparation yes
+UsePrivilegeSeparation <%= @use_priv_sep %>
 PermitUserEnvironment no
 LoginGraceTime 30s
 MaxAuthTries 2
