From 23cd006724755dac1a8fb22e6dd0126d19d3a00c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 14:06:10 -0400 Subject: [PATCH 1/6] so-ssh-harden fixes * Change when script is run during setup * Add newlines to sshd config for legibility --- salt/common/tools/sbin/so-ssh-harden | 8 +++++++- setup/so-functions | 2 -- setup/so-setup | 1 + 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 1fd7d58d9..5891e4309 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -38,8 +38,12 @@ print_msg() { fi } +# Add newline to ssh for legibility +echo "" >> /etc/ssh/sshd_config + if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "ciphers" "After" echo "" @@ -51,6 +55,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "After" echo "" @@ -62,6 +67,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "macs" "After" echo "" @@ -73,6 +79,7 @@ fi if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config +echo "" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "After" echo "" @@ -90,4 +97,3 @@ fi {% if grains['os'] != 'CentOS' %} print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." {% endif %} - diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..deeefb3ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1436,8 +1436,6 @@ install_cleanup() { info "Removing so-setup permission entry from sudoers file" sed -i '/so-setup/d' /etc/sudoers fi - - so-ssh-harden -q } import_registry_docker() { diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..ba76b303e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -888,6 +888,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 + so-ssh-harden -q >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' From 982f2de33ce0e6025b49552345eb174f15652bc0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Mar 2021 09:48:00 -0400 Subject: [PATCH 2/6] [fix] Refactor so-ssh-harden * Create a temp file to make changes, and only copy back over if any changes are made * Test changes as they're made, and exit if the test fails * Only add lines if they don't already exist in the config --- salt/common/tools/sbin/so-ssh-harden | 152 +++++++++++++++++---------- 1 file changed, 98 insertions(+), 54 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 5891e4309..0e0b28b39 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -6,14 +6,16 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true fi +sshd_config=/etc/ssh/sshd_config +temp_config=/tmp/sshd_config + before= after= reload_required=false -print_sshd_t() { +check_sshd_t() { local string=$1 local state=$2 - echo "${state}:" local grep_out grep_out=$(sshd -T | grep "^${string}") @@ -23,8 +25,17 @@ print_sshd_t() { else after=$grep_out fi +} - echo $grep_out +print_diff() { + local type=$1 + local diff + diff=$(diff -dqbB <(echo $before) <(echo $after)) + + if [[ -n $diff ]]; then + printf '%s\n' "$type" "$diff" + echo "" + fi } print_msg() { @@ -33,67 +44,100 @@ print_msg() { printf "%s\n" \ "----" \ "$msg" \ - "----" \ - "" + "----" fi } -# Add newline to ssh for legibility -echo "" >> /etc/ssh/sshd_config +add_if_missing() { + local string=$1 + if ! grep -q "$1" $temp_config; then + printf "%s\n\n" "$1" >> $temp_config + reload_required=true + fi +} -if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi -sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" -fi +test_config() { + local msg + msg=$(sshd -t -f $temp_config) + local ret=$? -if [[ $before != $after ]]; then - reload_required=true -fi + if [[ -n $msg ]]; then + echo "Error found in temp sshd config:" + echo $msg + fi -if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi -sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" -fi + return $ret +} -if [[ $before != $after ]]; then - reload_required=true -fi +main() { + if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi + cp $sshd_config $temp_config -if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi -sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" -fi + # Add newline to ssh for legibility + echo "" >> $temp_config -if [[ $before != $after ]]; then - reload_required=true -fi + # Ciphers + check_sshd_t "ciphers" "Before" + local cipher_string + cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") -if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi -sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config -echo "" >> /etc/ssh/sshd_config -if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" -fi + check_sshd_t "ciphers" "After" -if [[ $before != $after ]]; then - reload_required=true -fi + if ! [[ $quiet ]]; then print_diff "ciphers"; fi -if [[ $reload_required == true ]]; then - print_msg "Reloading sshd to load config changes..." - systemctl reload sshd -fi + if [[ $before != $after ]]; then + add_if_missing "$cipher_string" && test_config || exit 1 + fi -{% if grains['os'] != 'CentOS' %} -print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -{% endif %} + # KexAlgorithms + check_sshd_t "kexalgorithms" "Before" + + local kexalg_string + kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") + + check_sshd_t "kexalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$kexalg_string" && test_config || exit 1 + fi + + # Macs + check_sshd_t "macs" "Before" + local macs_string + macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") + + check_sshd_t "macs" "After" + + if ! [[ $quiet ]]; then print_diff "macs"; fi + + if [[ $before != $after ]]; then + add_if_missing "$mac_string" && test_config || exit 1 + fi + + # HostKeyAlgorithms + check_sshd_t "hostkeyalgorithms" "Before" + local hostkeyalg_string + hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") + + check_sshd_t "hostkeyalgorithms" "After" + + if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi + + if [[ $before != $after ]]; then + add_if_missing "$hostkeyalg_string" && test_config || exit 1 + fi + + if [[ $reload_required == true ]]; then + mv -f $temp_config $sshd_config + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi + systemctl reload sshd + print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + else + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi + rm -f $temp_config + fi +} + +main From 43c31b4e665fc993f6d5f6d07506ef19619cc924 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 1 Apr 2021 14:56:05 -0400 Subject: [PATCH 3/6] Fix script so changes are actually made --- salt/common/tools/sbin/so-ssh-harden | 70 ++++++++++++---------------- 1 file changed, 30 insertions(+), 40 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 0e0b28b39..532e2f737 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -4,6 +4,8 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true +elif [[ $1 =~ ^(-v|--verbose) ]]; then + verbose=true fi sshd_config=/etc/ssh/sshd_config @@ -12,39 +14,27 @@ temp_config=/tmp/sshd_config before= after= reload_required=false +change_header_printed=false check_sshd_t() { local string=$1 - local state=$2 local grep_out grep_out=$(sshd -T | grep "^${string}") - if [[ $state == "Before" ]]; then - before=$grep_out - else - after=$grep_out - fi + before=$grep_out } print_diff() { - local type=$1 local diff - diff=$(diff -dqbB <(echo $before) <(echo $after)) + diff=$(diff -dbB <(echo $before) <(echo $after) | awk 'NR>1') if [[ -n $diff ]]; then - printf '%s\n' "$type" "$diff" - echo "" - fi -} - -print_msg() { - local msg=$1 - if ! [[ $quiet ]]; then - printf "%s\n" \ - "----" \ - "$msg" \ - "----" + if [[ $change_header_printed == false ]]; then + printf '%s\n' '' "Changes" '-------' '' + change_header_printed=true + fi + echo -e "$diff\n" fi } @@ -77,65 +67,65 @@ main() { echo "" >> $temp_config # Ciphers - check_sshd_t "ciphers" "Before" + check_sshd_t "ciphers" local cipher_string cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") - check_sshd_t "ciphers" "After" + after=$cipher_string - if ! [[ $quiet ]]; then print_diff "ciphers"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$cipher_string" && test_config || exit 1 fi # KexAlgorithms - check_sshd_t "kexalgorithms" "Before" + check_sshd_t "kexalgorithms" local kexalg_string kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") - check_sshd_t "kexalgorithms" "After" + after=$kexalg_string - if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$kexalg_string" && test_config || exit 1 fi # Macs - check_sshd_t "macs" "Before" + check_sshd_t "macs" local macs_string macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") - check_sshd_t "macs" "After" + after=$macs_string - if ! [[ $quiet ]]; then print_diff "macs"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then - add_if_missing "$mac_string" && test_config || exit 1 + if [[ $before != "$after" ]]; then + add_if_missing "$macs_string" && test_config || exit 1 fi # HostKeyAlgorithms - check_sshd_t "hostkeyalgorithms" "Before" + check_sshd_t "hostkeyalgorithms" local hostkeyalg_string hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") - check_sshd_t "hostkeyalgorithms" "After" + after=$hostkeyalg_string - if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi + if [[ $verbose ]]; then print_diff; fi - if [[ $before != $after ]]; then + if [[ $before != "$after" ]]; then add_if_missing "$hostkeyalg_string" && test_config || exit 1 fi if [[ $reload_required == true ]]; then mv -f $temp_config $sshd_config - if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi + if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi systemctl reload sshd - print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." else - if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi + if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi rm -f $temp_config fi } From fd57996bc6980ce7ddb7147f8bd43039337311e8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 10:00:27 -0400 Subject: [PATCH 4/6] Change behavior of adding lines to sshd config * Replace existing lines in cases where a change has already been made --- salt/common/tools/sbin/so-ssh-harden | 20 +++++++++++--------- setup/so-setup | 2 +- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 532e2f737..bdec9894b 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -38,12 +38,14 @@ print_diff() { fi } -add_if_missing() { - local string=$1 - if ! grep -q "$1" $temp_config; then - printf "%s\n\n" "$1" >> $temp_config - reload_required=true +replace_or_add() { + local type=$1 + local string=$2 + if grep -q "$type" $temp_config; then + sed -i "/$type .*/d" $temp_config fi + printf "%s\n\n" "$string" >> $temp_config + reload_required=true } test_config() { @@ -76,7 +78,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$cipher_string" && test_config || exit 1 + replace_or_add "ciphers" "$cipher_string" && test_config || exit 1 fi # KexAlgorithms @@ -90,7 +92,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$kexalg_string" && test_config || exit 1 + replace_or_add "kexalgorithms" "$kexalg_string" && test_config || exit 1 fi # Macs @@ -103,7 +105,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$macs_string" && test_config || exit 1 + replace_or_add "macs" "$macs_string" && test_config || exit 1 fi # HostKeyAlgorithms @@ -116,7 +118,7 @@ main() { if [[ $verbose ]]; then print_diff; fi if [[ $before != "$after" ]]; then - add_if_missing "$hostkeyalg_string" && test_config || exit 1 + replace_or_add "hostkeyalgorithms" "$hostkeyalg_string" && test_config || exit 1 fi if [[ $reload_required == true ]]; then diff --git a/setup/so-setup b/setup/so-setup index a742630f7..584dc7933 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -906,7 +906,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 85 'Applying finishing touches' filter_unused_nics >> $setup_log 2>&1 network_setup >> $setup_log 2>&1 - so-ssh-harden -q >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' From 8b8086b91a16b9e2a382d139f17db7651e9ddbdc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 10:20:28 -0400 Subject: [PATCH 5/6] Update wording, as the new key tends to be ED25519, not ECDSA --- salt/common/tools/sbin/so-ssh-harden | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index bdec9894b..5e740c4dd 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -125,7 +125,7 @@ main() { mv -f $temp_config $sshd_config if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes"; fi systemctl reload sshd - echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." + echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the host key fingerprint for this server before reconnecting." else if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up"; fi rm -f $temp_config From d19c03efef69eaf4b9ddad6dea271764fad038bc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 2 Apr 2021 14:49:22 -0400 Subject: [PATCH 6/6] Refactor search of config lines * Create arrays for each line and loop through them for better code readability * Add more host key algorithms for removal * Update regex to look for a comma or EOL at the end of the search term, to avoid missing last item in list --- salt/common/tools/sbin/so-ssh-harden | 68 ++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 5e740c4dd..2a057ff5e 100755 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -70,8 +70,23 @@ main() { # Ciphers check_sshd_t "ciphers" - local cipher_string - cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g") + + local bad_ciphers=( + "3des-cbc" + "aes128-cbc" + "aes192-cbc" + "aes256-cbc" + "arcfour" + "arcfour128" + "arcfour256" + "blowfish-cbc" + "cast128-cbc" + ) + + local cipher_string=$before + for cipher in "${bad_ciphers[@]}"; do + cipher_string=$(echo "$cipher_string" | sed "s/${cipher}\(,\|\$\)//g" | sed 's/,$//') + done after=$cipher_string @@ -84,8 +99,20 @@ main() { # KexAlgorithms check_sshd_t "kexalgorithms" - local kexalg_string - kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g") + local bad_kexalgs=( + "diffie-hellman-group-exchange-sha1" + "diffie-hellman-group-exchange-sha256" + "diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha1" + "ecdh-sha2-nistp256" + "ecdh-sha2-nistp521" + "ecdh-sha2-nistp384" + ) + + local kexalg_string=$before + for kexalg in "${bad_kexalgs[@]}"; do + kexalg_string=$(echo "$kexalg_string" | sed "s/${kexalg}\(,\|\$\)//g" | sed 's/,$//') + done after=$kexalg_string @@ -97,8 +124,21 @@ main() { # Macs check_sshd_t "macs" - local macs_string - macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g") + + local bad_macs=( + "hmac-sha2-512" + "umac-128@openssh.com" + "hmac-sha2-256" + "umac-64@openssh.com" + "hmac-sha1" + "hmac-sha1-etm@openssh.com" + "umac-64-etm@openssh.com" + ) + + local macs_string=$before + for mac in "${bad_macs[@]}"; do + macs_string=$(echo "$macs_string" | sed "s/${mac}\(,\|\$\)//g" | sed 's/,$//') + done after=$macs_string @@ -110,8 +150,20 @@ main() { # HostKeyAlgorithms check_sshd_t "hostkeyalgorithms" - local hostkeyalg_string - hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g") + + local optional_suffix_regex_hka="\(-cert-v01@openssh.com\)\?" + local bad_hostkeyalg_list=( + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp521" + "ssh-rsa" + "ssh-dss" + ) + + local hostkeyalg_string=$before + for alg in "${bad_hostkeyalg_list[@]}"; do + hostkeyalg_string=$(echo "$hostkeyalg_string" | sed "s/${alg}${optional_suffix_regex_hka}\(,\|\$\)//g" | sed 's/,$//') + done after=$hostkeyalg_string