Skip to content

Commit b6b9fb2

Browse files
sfuertesfuerte
committed
OpenSSH 8.0 KEXs support
1 parent c5f887f commit b6b9fb2

File tree

1 file changed

+17
-8
lines changed

1 file changed

+17
-8
lines changed

libraries/ssh_crypto.rb

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -70,14 +70,17 @@ def valid_ciphers # rubocop:disable Metrics/CyclomaticComplexity
7070

7171
def valid_kexs # rubocop:disable Metrics/CyclomaticComplexity
7272
# define a set of default KEXs
73+
kex80 = '[email protected],[email protected],diffie-hellman-group-exchange-sha256'
7374
kex66 = '[email protected],diffie-hellman-group-exchange-sha256'
7475
kex59 = 'diffie-hellman-group-exchange-sha256'
7576
kex = kex59
7677

7778
# adjust KEXs based on OS + release
7879
case inspec.os[:name]
80+
# https://packages.ubuntu.com/search?keywords=openssh-server
7981
when 'ubuntu'
80-
kex = kex66 if inspec.os[:release][0, 2] > '12'
82+
kex = inspec.os[:release][0, 2] >= '19' ? kex80 : kex66
83+
# https://packages.debian.org/search?keywords=openssh-server
8184
when 'debian'
8285
case inspec.os[:release]
8386
when /^6\./
@@ -86,6 +89,8 @@ def valid_kexs # rubocop:disable Metrics/CyclomaticComplexity
8689
kex = kex59
8790
when /^8\./, /^9\./, /^10\./
8891
kex = kex66
92+
when /^11\./
93+
kex = kex80
8994
end
9095
when 'redhat', 'centos', 'oracle'
9196
case inspec.os[:release]
@@ -94,21 +99,25 @@ def valid_kexs # rubocop:disable Metrics/CyclomaticComplexity
9499
when /^7\./, /^8\./
95100
kex = kex66
96101
end
97-
when 'amazon', 'fedora', 'alpine'
102+
# https://pkgs.alpinelinux.org/packages?name=openssh
103+
when 'alpine'
104+
kex = inspec.os[:release].split('.')[1] >= '10' ? kex80 : kex66
105+
when 'amazon'
98106
kex = kex66
107+
# https://src.fedoraproject.org/rpms/openssh
108+
when 'fedora'
109+
kex = inspec.os[:release] >= '30' ? kex80 : kex66
110+
# https://software.opensuse.org/package/openssh
99111
when 'opensuse'
100-
case inspec.os[:release]
101-
when /^13\.2/
102-
kex = kex66
103-
when /^42\./
104-
kex = kex66
105-
end
112+
kex = inspec.os[:release] == '15.2' ? kex80 : kex66
106113
when 'mac_os_x'
107114
case inspec.os[:release]
108115
when /^10.9\./
109116
kex = kex59
110117
when /^10.10\./, /^10.11\./, /^10.12\./
111118
kex = kex66
119+
when /^10.15\./
120+
kex = kex80
112121
end
113122
end
114123

0 commit comments

Comments
 (0)