dev-sec · rndmh3ro · Jun 20, 2016 · May 22, 2016 · Jun 7, 2016 · Jun 8, 2016
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -1,19 +1,26 @@
 ---
 driver:
   name: vagrant
+
 provisioner:
   name: ansible_playbook
-  test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git
   hosts: all
   require_ansible_repo: false
   require_ansible_omnibus: true
   require_chef_for_busser: false
   require_ruby_for_busser: false
   ansible_verbose: true
   ansible_diff: true
+  hosts: all
   roles_path: ../ansible-ssh-hardening/
   playbook: default.yml
 
+verifier:
+  name: inspec
+  sudo: true
+  inspec_tests:
+    - https://github.com/dev-sec/tests-ssh-hardening
+
 platforms:
 - name: ubuntu-12.04
   driver_config:
@@ -39,10 +46,6 @@ platforms:
   driver_config:
     box: oracle-6.5
     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
-- name: debian-6
-  driver_config:
-    box: debian-6
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box
 - name: debian-7
   driver_config:
     box: debian-7
@@ -51,11 +54,9 @@ platforms:
   driver_config:
     box: debian-8
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
-verifier:
-  name: inspec
+
 suites:
-- name: ansible_1.9
+- name: ssh-ansible_1.9
   provisioner:
     ansible_version: 1.9.4
-- name: ansible_latest
-
+- name: ssh-ansible_latest
diff --git a/README.md b/README.md
@@ -60,9 +60,6 @@ Next install test-kitchen:
 gem install bundler
 bundle install
 
-# Fetch tests
-bundle exec thor kitchen:fetch-remote-tests
-
 # fast test on one machine
 bundle exec kitchen test default-ubuntu-1204
 

diff --git a/meta/main.yml b/meta/main.yml
@@ -9,9 +9,6 @@ galaxy_info:
     - name: EL
       versions:
         - 6
-    - name: Oracle Linux
-      versions:
-        - 6
     - name: Ubuntu
       versions:
         - precise

diff --git a/templates/openssh.conf.j2 b/templates/openssh.conf.j2
@@ -9,7 +9,7 @@
 # ===================
 
 # Address family should always be limited to the active network configuration.
-AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} 
+AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
 # Restrict the following configuration to be limited to this Host.
 {% for host in ssh_remote_hosts -%}
 Host {{host}}
@@ -47,13 +47,13 @@ StrictHostKeyChecking ask
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 {% if ssh_client_cbc_required -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
     Ciphers {{ ssh_ciphers_66_weak | join(',') }}
     {% else -%}
     Ciphers {{ ssh_ciphers_53_weak | join(',') }}
     {% endif %}
 {% else -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         Ciphers {{ ssh_ciphers_66_default | join(',') }}
     {% else -%}
         Ciphers {{ ssh_ciphers_53_default | join(',') }}
@@ -65,22 +65,18 @@ StrictHostKeyChecking ask
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
 {% if ssh_client_weak_hmac -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         MACs {{ ssh_macs_66_weak | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
     MACs {{ ssh_macs_53_default | join(',') }}
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-    MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
     MACs {{ ssh_macs_59_weak | join(',') }}
     {% endif %}
 {% else -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
     MACs {{ ssh_macs_66_default | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
     MACs {{ ssh_macs_53_default | join(',') }}
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-    MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
     MACs {{ ssh_macs_59_default | join(',') }}
     {% endif %}
@@ -93,14 +89,14 @@ StrictHostKeyChecking ask
 # Weak kex is sometimes required if older package versions are used
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 #
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
    {% if ssh_client_weak_kex -%}
     KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
    {% else -%}
         KexAlgorithms {{ ssh_kex_66_default | join(',') }}
    {% endif %}
 {% else -%}
-   {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+   {% if ansible_os_family in ['Oracle Linux', 'RedHat'] -%}
            #KexAlgorithms
    {% elif ssh_client_weak_kex -%}
            KexAlgorithms {{ ssh_kex_59_weak | join(',') }}

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -51,13 +51,13 @@ LogLevel VERBOSE
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 {% if ssh_server_cbc_required -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         Ciphers {{ ssh_ciphers_66_weak | join(',') }}
     {% else %}
         Ciphers {{ ssh_ciphers_53_weak | join(',') }}
     {% endif %}
 {% else -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         Ciphers {{ ssh_ciphers_66_default | join(',') }}
     {% else -%}
         Ciphers {{ ssh_ciphers_53_default | join(',') }}
@@ -70,22 +70,18 @@ LogLevel VERBOSE
 #
 
 {% if ssh_server_weak_hmac -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         MACs {{ ssh_macs_66_weak | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
         MACs {{ ssh_macs_53_default | join(',') }}
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-        MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
         MACs {{ ssh_macs_59_weak | join(',') }}
     {% endif %}
 {% else -%}
-    {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+    {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
         MACs {{ ssh_macs_66_default | join(',') }}
     {% elif ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6' -%}
         MACs {{ ssh_macs_53_default | join(',') }}
-    {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
-        MACs {{ ssh_macs_53_default | join(',') }}
     {% else -%}
         MACs {{ ssh_macs_59_default | join(',') }}
     {% endif %}
@@ -98,14 +94,14 @@ LogLevel VERBOSE
 # Weak kex is sometimes required if older package versions are used
 # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04') or (ansible_distribution == 'Debian' and ansible_distribution_version >= '8') -%}
     {% if ssh_server_weak_kex -%}
         KexAlgorithms {{ ssh_kex_66_weak | join(',') }}
     {% else -%}
         KexAlgorithms {{ ssh_kex_66_default | join(',') }}
     {% endif %}
 {% else -%}
-    {% if ansible_os_family in ['Oracle Linux', 'RedHat'] or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+    {% if ansible_os_family in ['Oracle Linux', 'RedHat'] -%}
         #KexAlgorithms
     {% elif ssh_server_weak_kex -%}
         KexAlgorithms {{ sshd_kex_59_weak | join(',') }}