Merge pull request #203 from artem-forks/deprecations

Removal of deprecated options for newer openssh versions

Author: artem-sidorenko

.kitchen.dokken.yml

@@ -94,6 +94,3 @@ suites:
   run_list:
   - recipe[test]
   - recipe[ssh-hardening]
-  verifier:
-    inspec_tests:
-      - https://github.com/dev-sec/ssh-baseline

.kitchen.yml

@@ -36,9 +36,6 @@ suites:
   run_list:
   - recipe[test]
   - recipe[ssh-hardening]
-  verifier:
-    inspec_tests:
-      - https://github.com/dev-sec/ssh-baseline
 - name: rhel-with-disabled-pam
   includes:
     - centos-6.8
@@ -61,5 +58,5 @@ suites:
           use_pam: false
   verifier:
     inspec_tests:
-      - https://github.com/dev-sec/ssh-baseline
+      - test/integration/default
       - test/integration/without-pam

recipes/client.rb

@@ -20,14 +20,14 @@
 # limitations under the License.
 #
 
-ohai 'reload' do
+ohai 'reload openssh-client' do
   action :nothing
 end
 
 package 'openssh-client' do
   package_name node['ssh-hardening']['sshclient']['package']
   # we need to reload the package version, otherwise we get the version that was installed before cookbook execution
-  notifies :reload, 'ohai[reload]', :immediate
+  notifies :reload, 'ohai[reload openssh-client]', :immediately
 end
 
 directory 'openssh-client ssh directory /etc/ssh' do

recipes/server.rb

@@ -40,14 +40,14 @@
 directory cache_dir
 
 # installs package name
-ohai 'reload' do
+ohai 'reload openssh-server' do
   action :nothing
 end
 
 package 'openssh-server' do
   package_name node['ssh-hardening']['sshserver']['package']
   # we need to reload the package version, otherwise we get the version that was installed before cookbook execution
-  notifies :reload, 'ohai[reload]', :immediate
+  notifies :reload, 'ohai[reload openssh-server]', :immediately
 end
 
 # Handle addional SELinux policy on RHEL/Fedora for different UsePAM options
@@ -181,7 +181,8 @@
         kex:          node['ssh-hardening']['ssh']['server']['kex']    || DevSec::Ssh.get_server_kexs(node['ssh-hardening']['ssh']['server']['weak_kex']),
         cipher:       node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']),
         use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion,
-        hostkeys:     node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" }
+        hostkeys:     node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" },
+        version:      DevSec::Ssh.get_ssh_server_version
       }
     end
   )

spec/recipes/server_spec.rb

@@ -230,6 +230,46 @@
     expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UsePAM yes')
   end
 
+  describe 'version specifc options' do
+    context 'running with OpenSSH < 7.4' do
+      it 'should have UseLogin' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UseLogin')
+      end
+
+      it 'should have UsePrivilegeSeparation' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content('UsePrivilegeSeparation')
+      end
+    end
+
+    context 'running with OpenSSH >= 7.4 on RHEL 7' do
+      let(:chef_run) do
+        ChefSpec::ServerRunner.new(platform: 'centos', version: '7.5.1804').converge(described_recipe)
+      end
+
+      before do
+        stub_command('getenforce | grep -vq Disabled && semodule -l | grep -q ssh_password').and_return(true)
+      end
+
+      it 'should not have UseLogin' do
+        expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UseLogin')
+      end
+    end
+
+    context 'running with Openssh >= 7.5 on Ubuntu 18.04' do
+      let(:chef_run) do
+        ChefSpec::ServerRunner.new(version: '18.04').converge(described_recipe)
+      end
+
+      it 'should not have UseLogin' do
+        expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UseLogin')
+      end
+
+      it 'should not have UsePrivilegeSeparation' do
+        expect(chef_run).to_not render_file('/etc/ssh/sshd_config').with_content('UsePrivilegeSeparation')
+      end
+    end
+  end
+
   describe 'UsePAM option' do
     let(:use_pam) { true }
 
@@ -269,7 +309,7 @@
 
     context 'when running on CentOS' do
       let(:platform) { 'centos' }
-      let(:version) { '7.2.1511' }
+      let(:version) { '7.5.1804' }
 
       let(:selinux_disabled_or_policy_removed) { false }
       let(:selinux_enabled_and_policy_installed) { false }
@@ -392,7 +432,7 @@
       end
 
       cached(:chef_run) do
-        ChefSpec::ServerRunner.new(platform: 'centos', version: '7.2.1511') do |node|
+        ChefSpec::ServerRunner.new(platform: 'centos', version: '7.5.1804') do |node|
           node.normal['ssh-hardening']['ssh']['server']['os_banner'] = true
         end.converge(described_recipe)
       end

templates/default/opensshd.conf.erb

@@ -85,8 +85,12 @@ KexAlgorithms <%= @kex %>
 # --------------
 
 # Secure Login directives.
+<% if @version.to_f < 7.4 %>
 UseLogin no
+<% end %>
+<% if @version.to_f < 7.5 %>
 UsePrivilegeSeparation <%= @use_priv_sep %>
+<% end %>
 PermitUserEnvironment no
 LoginGraceTime <%= @node['ssh-hardening']['ssh']['server']['login_grace_time'] %>
 MaxAuthTries <%= @node['ssh-hardening']['ssh']['server']['max_auth_tries'] %>

test/integration/default/controls/deprecations.rb

@@ -0,0 +1,7 @@
+control 'sshd configuration should not have any deprecations' do
+  describe command('sshd -t') do
+    its(:exit_status) { should eq 0 }
+    its(:stdout) { should eq '' }
+    its(:stderr) { should eq '' }
+  end
+end

test/integration/default/controls/ssh-baseline.rb

@@ -0,0 +1 @@
+include_controls 'ssh-baseline'

test/integration/default/inspec.yml

@@ -0,0 +1,5 @@
+name: ssh-hardening-integration-tests
+version: 1.0.0
+depends:
+  - name: ssh-baseline
+    url: https://github.com/dev-sec/ssh-baseline