SSH hardening configuration options#238
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
19a049a to
84f7678
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the SSH configuration options to support hardening requirements by adding new configuration vectors for password authentication, root login, ciphers, key exchange algorithms, and MACs. Key changes include:
- Updates to test vectors and sample outputs for various SSH hardening options.
- Addition of new test cases in hostcfgd tests to validate the updated SSH configuration.
- Modifications in the SshServer code to support the new configuration keys and proper value conversion.
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/hostcfgd/test_ssh_server_vectors.py | Added new test vectors for password_authentication, permit_root_login, ciphers, kex_algorithms, and macs. |
| tests/hostcfgd/sample_output/*/sshd_config | Updated sample SSHD configuration outputs to reflect the new hardening options. |
| tests/hostcfgd/hostcfgd_ssh_server_test.py | Added new test cases corresponding to each new SSH hardening option. |
| scripts/hostcfgd | Modified the SSH configuration processing to support additional options and value conversions. |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@bhouse-nexthop it looks like there is a test failure. Could you pls check? =========================== short test summary info ============================ |
|
looks like the input file was changed by a different PR, I'll update to match |
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
97608cb to
ec3d188
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@lguohan I think there is a test failure here due to the ssh config used for the test having changed since I originally wrote this PR. I rebased a few days ago but haven't yet looked into this, I'll try to get to that tomorrow. I just got back to the east coast an hour or two ago and am pretty tired :) |
The SSH configuration does not contain many of the hardening requirements by the various standards bodies. This adds support for: * password_authentication - ability to disable password auth * permit_root_login - ability to prevent root logins * ciphers - ability to specify available ciphers * kex_algorithms - ability to specify key exchange algorithms * macs - ability to specify macs Signed-off-by: Brad House <bhouse@nexthop.ai>
bhouse-nexthop
force-pushed
the
bhouse-nexthop/ssh-config
branch
from
ec3d188 to
69d12ee
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@lguohan any chance you can review this? |
The SSH configuration does not contain many of the hardening requirements by the various standards bodies. This adds support for:
Depends on sonic-net/sonic-buildimage#22308
Fixes sonic-net/sonic-buildimage#22309