Merge branch 'fix/ssh-harden-setup' into foxtrot

salt/common/tools/sbin/so-ssh-harden

@@ -6,14 +6,16 @@ if [[ $1 =~ ^(-q|--quiet) ]]; then
 	quiet=true
 fi
 
+sshd_config=/etc/ssh/sshd_config
+temp_config=/tmp/sshd_config
+
 before=
 after=
 reload_required=false
 
-print_sshd_t() {
+check_sshd_t() {
 	local string=$1
 	local state=$2
-	echo "${state}:"
 
 	local grep_out
 	grep_out=$(sshd -T | grep "^${string}")
@@ -23,8 +25,17 @@ print_sshd_t() {
 	else
 		after=$grep_out
 	fi
+}
 
-	echo $grep_out
+print_diff() {
+	local type=$1
+	local diff
+	diff=$(diff -dqbB <(echo $before) <(echo $after))
+
+	if [[ -n $diff ]]; then
+		printf '%s\n' "$type" "$diff"
+		echo ""
+	fi
 }
 
 print_msg() {
@@ -33,61 +44,100 @@ print_msg() {
 	printf "%s\n" \
 		"----" \
 		"$msg" \
-		"----" \
+		"----"
-		""
 	fi
 }
 
-if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
+add_if_missing() {
-sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
+	local string=$1
-if ! [[ $quiet ]]; then
+	if ! grep -q "$1" $temp_config; then
-	print_sshd_t "ciphers" "After"
+		printf "%s\n\n" "$1" >> $temp_config
-	echo ""
+		reload_required=true
-fi
+	fi
+}
 
-if [[ $before != $after ]]; then
+test_config() {
-	reload_required=true
+	local msg
-fi
+	msg=$(sshd -t -f $temp_config)
+	local ret=$?
 
-if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
+	if [[ -n $msg ]]; then
-sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
+		echo "Error found in temp sshd config:"
-if ! [[ $quiet ]]; then
+		echo $msg
-	print_sshd_t "kexalgorithms" "After"
+	fi
-	echo ""
-fi
 
-if [[ $before != $after ]]; then
+	return $ret
-	reload_required=true
+}
-fi
 
-if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
+main() {
-sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
+	if ! [[ $quiet ]]; then echo "Copying current config to $temp_config"; fi
-if ! [[ $quiet ]]; then
+	cp $sshd_config $temp_config
-	print_sshd_t "macs" "After"
-	echo ""
-fi
 
-if [[ $before != $after ]]; then
+	# Add newline to ssh for legibility
-	reload_required=true
+	echo "" >> $temp_config
-fi
 
-if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
+	# Ciphers
-sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
+	check_sshd_t "ciphers" "Before"
-if ! [[ $quiet ]]; then
+	local cipher_string
-	print_sshd_t "hostkeyalgorithms" "After"
+	cipher_string=$(echo "$before" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g")
-	echo ""
-fi
 
-if [[ $before != $after ]]; then
+	check_sshd_t "ciphers" "After"
-	reload_required=true
-fi
 
-if [[ $reload_required == true ]]; then
+	if ! [[ $quiet ]]; then print_diff "ciphers"; fi
-	print_msg "Reloading sshd to load config changes..."
-	systemctl reload sshd
-fi
 
-{% if grains['os'] != 'CentOS' %}
+	if [[ $before != $after ]]; then
-print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
+		add_if_missing "$cipher_string" && test_config || exit 1
-{% endif %}
+	fi
 
+	# KexAlgorithms
+	check_sshd_t "kexalgorithms" "Before"
+
+	local kexalg_string
+	kexalg_string=$(echo "$before" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g")
+
+	check_sshd_t "kexalgorithms" "After"
+
+	if ! [[ $quiet ]]; then print_diff "kexalgorithms"; fi
+
+	if [[ $before != $after ]]; then
+		add_if_missing "$kexalg_string" && test_config || exit 1
+	fi
+
+	# Macs
+	check_sshd_t "macs" "Before"
+	local macs_string
+	macs_string=$(echo "$before" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g")
+
+	check_sshd_t "macs" "After"
+
+	if ! [[ $quiet ]]; then print_diff "macs"; fi
+
+	if [[ $before != $after ]]; then
+		add_if_missing "$mac_string" && test_config || exit 1
+	fi
+
+	# HostKeyAlgorithms
+	check_sshd_t "hostkeyalgorithms" "Before"
+	local hostkeyalg_string
+	hostkeyalg_string=$(echo "$before" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g")
+
+	check_sshd_t "hostkeyalgorithms" "After"
+	
+	if ! [[ $quiet ]]; then print_diff "hostkeyalgorithms"; fi
+	
+	if [[ $before != $after ]]; then
+		add_if_missing "$hostkeyalg_string" && test_config || exit 1
+	fi
+
+	if [[ $reload_required == true ]]; then
+		mv -f $temp_config $sshd_config
+		if ! [[ $quiet ]]; then echo "Reloading sshd to load config changes..."; fi
+		systemctl reload sshd
+		print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
+	else
+		if ! [[ $quiet ]]; then echo "No changes made to temp file, cleaning up."; fi
+		rm -f $temp_config
+	fi
+}
+
+main

setup/so-functions

@@ -1454,8 +1454,6 @@ install_cleanup() {
 		info "Removing so-setup permission entry from sudoers file"
 		sed -i '/so-setup/d' /etc/sudoers
 	fi
-
-	so-ssh-harden -q
 }
 
 import_registry_docker() {

setup/so-setup

@@ -906,6 +906,7 @@ set_redirect >> $setup_log 2>&1
 	set_progress_str 85 'Applying finishing touches'
 	filter_unused_nics >> $setup_log 2>&1
 	network_setup >> $setup_log 2>&1
+	so-ssh-harden -q >> $setup_log 2>&1
 
 	if [[ $is_manager || $is_import ]]; then
 		set_progress_str 87 'Adding user to SOC'