Monday, Feb 6, 2017

chef-ssh-hardening 2.0.0 is released

DevSec Hardening Framework project is releasing a new major release chef-ssh-hardening 2.0.0 today.

Highlights and breaking changes:

  • On the modern chef versions (>= 12.10) autodiscovery of openssh version is used in the decision logic of crypto parameters
  • New attribute namespace ['ssh-hardening'] for the entire cookbook
  • Split of attributes to the server and client namespaces
  • UsePAM is now set to yes per default (and does not break RHEL installations if set to no)
  • Usage of different encryption algorithms based on the available openssh version
  • Removal of DSA support
  • Usage of strong primes for Diffie-Hellman

New attributes:

  • ['ssh-hardening']['ssh']['client']['send_env'] and ['ssh-hardening']['ssh']['server']['accept_env'] allow configuration of accepted/sent environment parameters
  • ['ssh-hardening']['ssh'][{'client', 'server'}]['kex'] , ['ssh-hardening']['ssh'][{'client', 'server'}]['mac'] and ['ssh-hardening']['ssh'][{'client', 'server'}]['cipher'] allow configuration of own crypto parameters
  • ['ssh-hardening']['ssh']['server']['log_level'] allows configuration of sshd logging level
  • ['ssh-hardening']['ssh']['server']['dh_min_prime_size'], ['ssh-hardening']['ssh']['server']['dh_build_primes'] and ['ssh-hardening']['ssh']['server']['dh_build_primes_size'] allow configuration of DH prime parameters

Removal of deprecated code/features:

  • Removal of user management / key management for root user
  • Removal of old global attributes with crypto parameters: ['ssh-hardening']['ssh']['cbc_required'], ['ssh-hardening']['ssh']['weak_hmac'] and ['ssh-hardening']['ssh']['weak_kex']

Please checkout the full changelog and README for more details.

We are looking forward to get your feedback via GitHub issues or Gitter chatroom. And you can follow us on Twitter.