Monday, Feb 6, 2017
chef-ssh-hardening 2.0.0 is released
DevSec Hardening Framework project is releasing a new major release chef-ssh-hardening 2.0.0 today.
Highlights and breaking changes:
- On the modern chef versions (>= 12.10) autodiscovery of openssh version is used in the decision logic of crypto parameters
- New attribute namespace
['ssh-hardening']for the entire cookbook - Split of attributes to the
serverandclientnamespaces UsePAMis now set toyesper default (and does not break RHEL installations if set tono)- Usage of different encryption algorithms based on the available openssh version
- Removal of DSA support
- Usage of strong primes for Diffie-Hellman
New attributes:
['ssh-hardening']['ssh']['client']['send_env']and['ssh-hardening']['ssh']['server']['accept_env']allow configuration of accepted/sent environment parameters['ssh-hardening']['ssh'][{'client', 'server'}]['kex'],['ssh-hardening']['ssh'][{'client', 'server'}]['mac']and['ssh-hardening']['ssh'][{'client', 'server'}]['cipher']allow configuration of own crypto parameters['ssh-hardening']['ssh']['server']['log_level']allows configuration of sshd logging level['ssh-hardening']['ssh']['server']['dh_min_prime_size'],['ssh-hardening']['ssh']['server']['dh_build_primes']and['ssh-hardening']['ssh']['server']['dh_build_primes_size']allow configuration of DH prime parameters
Removal of deprecated code/features:
- Removal of user management / key management for root user
- Removal of old global attributes with crypto parameters:
['ssh-hardening']['ssh']['cbc_required'],['ssh-hardening']['ssh']['weak_hmac']and['ssh-hardening']['ssh']['weak_kex']
Please checkout the full changelog and README for more details.
We are looking forward to get your feedback via GitHub issues or Gitter chatroom. And you can follow us on Twitter.