Version information
Start using this module
Add this module to your Puppetfile:
mod 'hardening-ssh_hardening', '1.0.5'
Learn more about managing modules with a PuppetfileDocumentation
Puppet SSH hardening
Description
This Puppet module provides secure ssh-client and ssh-server configurations.
Requirements
- Puppet
- Puppet modules:
saz/ssh
(>= 2.3.6),puppetlabs/stdlib
(>= 4.2.0)
Parameters
ipv6_enabled = false
- true if IPv6 is neededcbc_required = false
- true if CBC for ciphers is required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure ciphers enabled. CBC is a weak alternative. Anything weaker should be avoided and is thus not available.weak_hmac = false
- true if weaker HMAC mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure HMACs enabled.weak_kex = false
- true if weaker Key-Exchange (KEX) mechanisms are required. This is usually only necessary, if older M2M mechanism need to communicate with SSH, that don't have any of the configured secure KEXs enabled.allow_root_with_key = false
-false
to disable root login altogether. Set totrue
to allow root to login via key-based mechanism.ports = [ 22 ]
- ports to which ssh-server should listen to and ssh-client should connect tolisten_to = [ "0.0.0.0" ]
- one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!remote_hosts
- one or more hosts, to which ssh-client can connect to. Default is empty, but should be configured for security reasons!allow_tcp_forwarding = false
- set to true to allow TCP forwardingallow_agent_forwarding = false
- set to true to allow Agent forwardinguse_pam = false
to disable pam authenticationclient_options = {}
- set values in the hash to override the module's settingsserver_options = {}
- set values in the hash to override the module's settings
Usage
After adding this module, you can use the class:
class { 'ssh_hardening': }
This will install ssh-server and ssh-client. You can alternatively choose only one via:
class { 'ssh_hardening::server': }
class { 'ssh_hardening::client': }
You should configure core attributes:
class { 'ssh_hardening::server':
"listen_to" : ["10.2.3.4"]
}
The default value for listen_to
is 0.0.0.0
. It is highly recommended to change the value.
Overwriting default options
Default options will be merged with options passed in by the client_options
and server_options
parameters.
If an option is set both as default and via options parameter, the latter will win.
The following example will enable X11Forwarding, which is disabled by default:
class { 'ssh_hardening':
server_options => {
'X11Forwarding' => 'yes',
},
}
FAQ / Pitfalls
I can't log into my account. I have registered the client key, but it still doesn't let me it.
If you have exhausted all typical issues (firewall, network, key missing, wrong key, account disabled etc.), it may be that your account is locked. The quickest way to find out is to look at the password hash for your user:
sudo grep myuser /etc/shadow
If the hash includes an !
, your account is locked:
myuser:!:16280:7:60:7:::
The proper way to solve this is to unlock the account (passwd -u myuser
). If the user doesn't have a password, you should can unlock it via:
usermod -p "*" myuser
Alternatively, if you intend to use PAM, you enabled it via use_pam = true
. PAM will allow locked users to get in with keys.
Why doesn't my application connect via SSH anymore?
Always look into log files first and if possible look at the negotation between client and server that is completed when connecting.
We have seen some issues in applications (based on python and ruby) that are due to their use of an outdated crypto set. This collides with this hardening module, which reduced the list of ciphers, message authentication codes (MACs) and key exchange (KEX) algorithms to a more secure selection.
If you find this isn't enough, feel free to activate cbc_required
for ciphers, weak_hmac
for MACs, and weak_kex
for KEX.
Contributors + Kudos
- Dominik Richter arlimus
- Edmund Haselwanter ehaselwanter
- Christoph Hartmann chris-rock
- Patrick Meier atomic111
- Matthew Haughton 3flex
- Bernhard Schmidt bernhardschmidt
- Kurt Huwig kurthuwig
- Artem Sidorenko artem-sidorenko
- Guillaume Destuynder gdestuynder
- Bernhard Weisshuhn bkw
- stribika
License and Author
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Changelog
1.0.5
- feature: UsePrivilegeSeparation = sandbox for ssh >= 5.9
- feature: support Puppet 4
1.0.4
- improvement: reprioritize EtM-based MACs
- improvement: move SHA1 KEX algos from default to weak profile
1.0.3
- feature: remove legacy SSHv1 code
- feature: add back GCM cipher
1.0.2
- bugfix: pass allow_{tcp,agent}_forwarding from init to classes
1.0.1
- feature: add back puppet 3.4.3 support
- feature: make other SSH configuration options configurable
- improvement: added faq on locked accounts to readme
1.0.0
- feature: add support for oracle linux in crypto
- feature: add configurable agent and tcp forwarding
- feature: add kex configuration for redhat and centos
- feature: add mac configuration for redhat and centos
- feature: add cipher configuration for redhat and centos
- feature: implemented cipher detection for ubuntu 12.04 and 14.04
- feature: implemented mac detection for ubuntu 12.04 and 14.04
- feature: implemented kex detection for ubuntu 12.04 and 14.04
- feature: make crypto configuration conditional on the OS
- bugfix: dont set
undef
values in ssh client config
0.1.1
- improvement: add kitchen tests (pre-release)
- improvement: puppet-lint fixes
- bugfix: adjust client ciphers to working set
- bugfix: correct string concatenantions
- bugfix: mac -> macs
0.1.0
Initial release
Dependencies
- saz/ssh (>= 2.3.6)
- puppetlabs/stdlib (>= 4.2.0)