Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper handling of ciphers/macs/kexalgorithms in ssh instance is leading to incorrect sshd instance config #400

Closed
ReneTrippen opened this issue Dec 20, 2024 · 0 comments · Fixed by #401
Closed

Improper handling of ciphers/macs/kexalgorithms in ssh instance is leading to incorrect sshd instance config #400

ReneTrippen opened this issue Dec 20, 2024 · 0 comments · Fixed by #401

Comments

@ReneTrippen
Copy link
Contributor

When in ssh instances the Ciphers/MACs/KexAlgorithms are defined as array or as yaml list, the generated sshd_config of the instance has multiple entries for them, this does not work, because sshd picks only the first match. All allowed ciphers, kex and macs are needed as a comma separated string in the sshd_config.

That's the same issue as in #361. But does not affect the main sshd config, only the instances like an extra sftp server.
I'll fix that and make a PR soon

Example

As Yaml list in hiera

 Ciphers:
   - "aes128-ctr"
   - "aes192-ctr"
   - "aes256-ctr"
 KexAlgorithms:
   - "curve25519-sha256"
   - "[email protected]"
   - "diffie-hellman-group-exchange-sha256"
   - "ecdh-sha2-nistp256"
   - "ecdh-sha2-nistp384"
   - "ecdh-sha2-nistp521"
 MACs:
   - "[email protected]"
   - "[email protected]"
   - "hmac-sha2-512"
   - "hmac-sha2-256"

entries in generated sshd_config.sftp_server

grep -i -E "(^kex|^ciph|^mac)" /etc/ssh/sshd_config.sftp_server
Ciphers aes128-ctr
Ciphers aes192-ctr
Ciphers aes256-ctr
KexAlgorithms curve25519-sha256
KexAlgorithms [email protected]
KexAlgorithms diffie-hellman-group-exchange-sha256
KexAlgorithms ecdh-sha2-nistp256
KexAlgorithms ecdh-sha2-nistp384
KexAlgorithms ecdh-sha2-nistp521
MACs [email protected]
MACs [email protected]
MACs hmac-sha2-512
MACs hmac-sha2-256

sshd -T

sshd -T -f /etc/ssh/sshd_config.sftp_server | grep -E "(^kex|^ciph|^mac)"
ciphers aes128-ctr
macs [email protected]
kexalgorithms curve25519-sha256
ReneTrippen added a commit to ReneTrippen/puppet-ssh that referenced this issue Dec 20, 2024
@ReneTrippen
ssh_instance: write ciphers,macs and kex as comma-separated string
0d0ccf4 
As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes saz#400
ReneTrippen added a commit to ReneTrippen/puppet-ssh that referenced this issue Dec 20, 2024
@ReneTrippen
ssh_instance: write ciphers,macs and kex as comma-separated string
8a9017b 
As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes saz#400

this erb's are really hard to read ...
ReneTrippen added a commit to ReneTrippen/puppet-ssh that referenced this issue Dec 20, 2024
@ReneTrippen
ssh_instance: write ciphers,macs and kex as comma-separated string
345ceb5 
As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes saz#400
@ReneTrippen ReneTrippen mentioned this issue Dec 20, 2024
Merged
@saz saz closed this as completed in #401 Dec 24, 2024
saz pushed a commit that referenced this issue Dec 24, 2024
@ReneTrippen
ssh_instance: write ciphers,macs and kex as comma-separated string (#401
c3d6aa8 
)

As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes #400
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ssh_instance: write ciphers,macs and kex as comma-separated string ReneTrippen/puppet-ssh
1 participant
@ReneTrippen