Some minor version issues

[johnnybubonic]

Along with #98 (by the way, this isn't CentOS-specific; it's sshd-version specific. 6.5+ add ed25519 support, CentOS 6.10 is on OpenSSH 5.3), I have some other suggestions. Forgive me if they're present; I haven't read through all the mappings and such.

Note that these can be determined via something like {% set sshver = salt['pkg.version']('openssh-server').split('p')[0] | float %} in Jinja2 syntax (for CentOS; the 'openssh-server' should obviously be the actual package name). This conveniently lets you do things like:

{% if sshver > 6.5 %}
Option foo
{% else %}
OldOption bar
{% fi %}

I have a regex pattern that will also work on e.g. Sun's SSH if you'd like to make it even more flexible (though admittedly I haven't tested it on any of the BSDs).

That said, the inconsistencies I know of are:

• AuthorizedKeysCommandUser is, prior to OpenSSH 6.2, known as AuthorizedKeysCommandRunAs (I'd just recommend changing the option name in the sshd_config perhaps?)
• The "Secure Secure Shell" recommendations should probably be default. Here's a convenient list of supported Kex, Ciphers, etc. between CentOS 6.10 and 7.6 (OpenSSH 5.3 and OpenSSH 7.4 respectively):

CentOS 6:

| ssh2-enum-algos: 
|   kex_algorithms: (4)
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (13)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       rijndael-cbc@lysator.liu.se
|   mac_algorithms: (9)
|       hmac-md5
|       hmac-sha1
|       umac-64@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-ripemd160
|       hmac-ripemd160@openssh.com
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

CentOS 7:

| ssh2-enum-algos: 
|   kex_algorithms: (12)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-ed25519
|   encryption_algorithms: (12)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       aes128-cbc
|       aes192-cbc
|       aes256-cbc
|       blowfish-cbc
|       cast128-cbc
|       3des-cbc
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Which means, as per #26, the respective recommended defaults should then be:

CentOS 6:

• KexAlgorithms diffie-hellman-group-exchange-sha256
• Ciphers aes256-ctr,aes192-ctr,aes128-ctr
• MACs hmac-sha2-512,hmac-sha2-256

CentOS 7:

• KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
• Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
• MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Per @aboe76's concerns in #26 (comment), I have tested from both PuTTY and the built-in Windows SSH client (in Windows 10). All keys work as expected (PuTTY-generated RSA4096 and ED25519, Windows' ssh-keygen rsa with default options and ed25519 with default options; the RSA keys on both CentOS 6 and 7, the ED25519 keys on CentOS 7).

[alxwr]

@johnnybubonic Thanks for this extensive lists!
In #117 and #102 we decided (after a lengthy discussion) against maintaining default values in this formula. It would be too much effort to keep up with the various distributions without breaking things.

Maybe we could move ready-to-use configuration into Pillar files. Those could easily be included in an existing setup. This way they would be opt-in without the need of further complicating the SLS templates.

[johnnybubonic]

oh gotcha; sorry, i missed those decisions!

and good idea about the pillars. i was running into some circular condition depencies checking the ssh version with pkg.version, so i ended up just setting a conservative default version (5.9) and checking sshd directly:

import re
import socket

ssh_re = re.compile('^(SSH-2.0-(Open|Sun_)SSH_)([0-9]+\.[0-9]*).*$')

sock = socket.socket()
sock.settimeout(3)
sock.connect((server_ip, 22))
sshver = float(ssh_re.sub('\g<3>', sock.recv(64).decode('utf-8').strip()))

BUT if configuration was moved to pillars, then it'd definitely cut down on the logic needed in the actual states/templates (which would help with #148 too).