SSHSecure/config/const.go

/*
   SSHSecure - a program to harden OpenSSH from defaults
   Copyright (C) 2020  Brent Saner

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <https://www.gnu.org/licenses/>.
*/

package config

const (
	// To check if this release of SSHSecure is up-to-date with the default values.
	// upstreamSshdURL   string = "https://anongit.mindrot.org/openssh.git/plain/sshd_config"
	upstreamSshdURL   string = "https://raw.githubusercontent.com/openssh/openssh-portable/master/sshd_config"
	upstreamSshdCksum string = "952C844D7B36C54B03E2ADFB24860405" +
		"1A702620A0ADC0738A8C30DC83D42A75" +
		"27F5B3C184E779B1430168950F7695A1" +
		"AA249F7CC719DEC1631ACFDDC2E8B653"
	// upstreamSshURL   string = "https://anongit.mindrot.org/openssh.git/plain/ssh_config"
	upstreamSshURL   string = "https://raw.githubusercontent.com/openssh/openssh-portable/master/ssh_config"
	upstreamSshCksum string = "FF2D600465CC5D9CFBB57346491CCAF2" +
		"C917E2F0C7B4D4EF6B851940948B55BD" +
		"88205AC8153210ECA6C6BEA38E800F33" +
		"7562C0190AE760220417A5DC2E00A5E1"
)

// These are items that this program modifies.
var (
	// sshdModify are values we modify.
	sshdModify = [...]string{
		"HostKey",
		"PermitRootLogin",
		"StrictModes",
		"PubkeyAuthentication",
		"PasswordAuthentication",
		"PermitEmptyPasswords",
		"ChallengeResponseAuthentication",
		"KexAlgorithms",
		"Protocol",
		"Ciphers",
		"MACs",
	}

	// sshModify are values we modify.
	sshModify = [...]string{""}
)

// These are collections of long lists of valid values.
var (
	// sshdMulti are values that can be specified multiple times (multiple lines).
	sshdMulti = [...]string{
		"",
	}

	// authMethods are authentication methods that openssh supports.
	authMethods = []string{
		"any",
		"keyboard-interactive",
		"keyboard-interactive:bsdauth",
		"keyboard-interactive:pam",
		"gssapi-with-mic",
		"hostbased",
		"none",
		"password",
		"publickey",
	}

	// ciphers are cipher algorithms that openssh supports.
	ciphers = []string{
		"3des-cbc",
		"aes128-cbc",
		"aes192-cbc",
		"aes256-cbc",
		"aes128-ctr",
		"aes192-ctr",
		"aes256-ctr",
		"aes128-gcm@openssh.com",
		"aes256-gcm@openssh.com",
		"chacha20-poly1305@openssh.com",
	}

	// forwardAllows are shared values used by forwarding access control.
	forwardAllows = []string{"yes", "all", "no", "local", "remote"}

	// hostkeyTypes are algorithms/types used for host keys.
	// The following should generate the same list.
	// ssh -Q HostKeyAlgorithms | sed -re 's/^/"/g' -e 's/$/",/g'
	// ssh -Q HostbasedAcceptedKeyTypes | sed -re 's/^/"/g' -e 's/$/",/g'
	hostkeyTypes = []string{
		"ssh-ed25519",
		"ssh-ed25519-cert-v01@openssh.com",
		"sk-ssh-ed25519@openssh.com",
		"sk-ssh-ed25519-cert-v01@openssh.com",
		"ssh-rsa",
		"rsa-sha2-256",
		"rsa-sha2-512",
		"ssh-dss",
		"ecdsa-sha2-nistp256",
		"ecdsa-sha2-nistp384",
		"ecdsa-sha2-nistp521",
		"sk-ecdsa-sha2-nistp256@openssh.com",
		"ssh-rsa-cert-v01@openssh.com",
		"rsa-sha2-256-cert-v01@openssh.com",
		"rsa-sha2-512-cert-v01@openssh.com",
		"ssh-dss-cert-v01@openssh.com",
		"ecdsa-sha2-nistp256-cert-v01@openssh.com",
		"ecdsa-sha2-nistp384-cert-v01@openssh.com",
		"ecdsa-sha2-nistp521-cert-v01@openssh.com",
		"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com",
	}

	// ipQoS is a list of valid QoS profiles.
	ipQoS = []string{
		// This also supports a "numeric value" per sshd_config(5),
		// but I have no idea what those values are, their range, etc.
		// So strings only. Makes for more readable configs anyways.
		// TODO: is this specified in the source anywhere?
		"af11",
		"af12",
		"af13",
		"af21",
		"af22",
		"af23",
		"af31",
		"af32",
		"af33",
		"af41",
		"af42",
		"af43",
		"cs0",
		"cs1",
		"cs2",
		"cs3",
		"cs4",
		"cs5",
		"cs6",
		"cs7",
		"ef",
		"le",
		"lowdelay",
		"throughput",
		"reliability",
		"none",
	}

	// kexAlgos is a lost of valid kex ("KEy eXchange") algorithms.
	// ssh -Q kex | sed -re 's/^/"/g' -e 's/$/",/g'
	kexAlgos = []string{
		"diffie-hellman-group1-sha1",
		"diffie-hellman-group14-sha1",
		"diffie-hellman-group14-sha256",
		"diffie-hellman-group16-sha512",
		"diffie-hellman-group18-sha512",
		"diffie-hellman-group-exchange-sha1",
		"diffie-hellman-group-exchange-sha256",
		"ecdh-sha2-nistp256",
		"ecdh-sha2-nistp384",
		"ecdh-sha2-nistp521",
		"curve25519-sha256",
		"curve25519-sha256@libssh.org",
		"sntrup4591761x25519-sha512@tinyssh.org",
	}

	// sigAlgos is a list of valid algorithms for CA signatures.
	sigAlgos = []string{
		// These are the defaults. TODO: are any others valid?
		"ecdsa-sha2-nistp256",
		"ecdsa-sha2-nistp384",
		"ecdsa-sha2-nistp521",
		"ssh-ed25519",
		"rsa-sha2-512",
		"rsa-sha2-256",
		"ssh-rsa",
	}

	// logLevels is a list of valid LogLevel levels.
	logLevels = []string{
		"QUIET",
		"FATAL",
		"ERROR",
		"INFO", // default
		"VERBOSE",
		"DEBUG",  // same as DEBUG1
		"DEBUG1", // same as DEBUG
		"DEBUG2",
		"DEBUG3",
	}

	// macAlgos is a list of valid MAC (Message Authentication Code) values. "-etm" algos are recommended by upstream.
	// ssh -Q mac | sed -re 's/^/"/g' -e 's/$/",/g'
	macAlgos = []string{
		"hmac-sha1",
		"hmac-sha1-96",
		"hmac-sha2-256",
		"hmac-sha2-512",
		"hmac-md5",
		"hmac-md5-96",
		"umac-64@openssh.com",
		"umac-128@openssh.com",
		"hmac-sha1-etm@openssh.com",
		"hmac-sha1-96-etm@openssh.com",
		"hmac-sha2-256-etm@openssh.com",
		"hmac-sha2-512-etm@openssh.com",
		"hmac-md5-etm@openssh.com",
		"hmac-md5-96-etm@openssh.com",
		"umac-64-etm@openssh.com",
		"umac-128-etm@openssh.com",
	}
)

// This is a collection related to Match blocks.
var (
	// sshdMatchCriteria is a list of valid criteria that can be used in a Match block.
	// Valid keys for sshdMatchCriteria are tracked via field names in SshdMatchRule.
	// Multiple criteria can be specified by e.g. "Match User foo, Host bar.tld"
	sshdMatchCriteria = []string{
		"All",
		"User",
		"Group",
		"Host",
		"LocalAddress",
		"LocalPort",
		"RDomain",
		"Address",
	}
)

// The following are validator maps.
var (
	// These directives can also begin with "+", "-", or "^", so they need to be stripped off.
	// TODO: How to do this non-destructively?
	sshdStripPre = []string{
		"HostbasedAcceptedKeyTypes",
		"KexAlgorithms",
	}
	// validSshdSingleVals are values that can accept a single string value from a static list.
	validSshdSingleVals = map[string][]string{
		"AddressFamily":              {"any", "inet", "inet6"},
		"AllowStreamLocalForwarding": forwardAllows,
		"AllowTcpForwarding":         forwardAllows,
		"Compression":                {"yes", "delayed", "no"}, // "delayed" is legacy, same as "yes".
		"FingerprintHash":            {"sha256", "md5"},
		"GatewayPorts":               {"yes", "no", "clientspecified"},
		"IgnoreRHosts":               {"yes", "shosts-only", "no"},
		"LogLevel":                   logLevels,
	}

	// validSshdMultiVals are values that can accept multiple values from a static list.
	validSshdMultiVals = map[string][]string{
		"AuthenticationMethods":     authMethods,
		"CASignatureAlgorithms":     sigAlgos,
		"Ciphers":                   ciphers,
		"HostbasedAcceptedKeyTypes": hostkeyTypes, // NOTE: Can also begin with "+", "-", or "^"
		"HostKeyAlgorithms":         hostkeyTypes,
		"KexAlgorithms":             kexAlgos, // NOTE: Can also begin with "+", "-", or "^"
		"MACs":                      macAlgos,
	}
)