Skip to content

Commit a08a169

Browse files
arlimusarlimus
committed
feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
See: * #42 * dev-sec/ssh-baseline#44 Signed-off-by: Dominik Richter <[email protected]>
1 parent 69d463e commit a08a169

File tree

2 files changed

+39
-1
lines changed

2 files changed

+39
-1
lines changed

lib/puppet/parser/functions/use_privilege_separation.rb

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# encoding: utf-8
2+
#
3+
# Copyright 2015, Dominik Richter
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
#
17+
18+
Puppet::Parser::Functions.newfunction(:use_privilege_separation, :type => :rvalue) do |args|
19+
os = args[0].downcase
20+
osrelease = args[1]
21+
osmajor = osrelease.sub(/\..*/, '')
22+
23+
ps53 = 'yes'
24+
ps59 = 'sandbox'
25+
ps = ps59
26+
27+
# redhat/centos/oracle 6.x has ssh 5.3
28+
if os == 'redhat' || os == 'centos' || os == 'oraclelinux'
29+
ps = ps53
30+
31+
# debian 7.x and newer has ssh 5.9+
32+
elsif os == 'debian' && osmajor.to_i <= 6
33+
ps = ps53
34+
end
35+
36+
ps
37+
end

manifests/server.pp

+2-1
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@
7676
$ciphers = get_ssh_ciphers($::operatingsystem, $::operatingsystemrelease, $cbc_required)
7777
$macs = get_ssh_macs($::operatingsystem, $::operatingsystemrelease, $weak_hmac)
7878
$kex = get_ssh_kex($::operatingsystem, $::operatingsystemrelease, $weak_kex)
79+
$priv_sep = use_privilege_separation($::operatingsystem, $::operatingsystemrelease)
7980

8081
$permit_root_login = $allow_root_with_key ? {
8182
true => 'without-password',
@@ -169,7 +170,7 @@
169170

170171
# Secure Login directives.
171172
'UseLogin' => 'no',
172-
'UsePrivilegeSeparation' => 'sandbox',
173+
'UsePrivilegeSeparation' => $priv_sep,
173174
'PermitUserEnvironment' => 'no',
174175
'LoginGraceTime' => '30s',
175176
'MaxAuthTries' => 2,

0 commit comments

Comments
 (0)