Some minor version issues #144
Description
Along with #98 (by the way, this isn't CentOS-specific; it's sshd-version specific. 6.5+ add ed25519 support, CentOS 6.10 is on OpenSSH 5.3), I have some other suggestions. Forgive me if they're present; I haven't read through all the mappings and such.
Note that these can be determined via something like {% set sshver = salt['pkg.version']('openssh-server').split('p')[0] | float %} in Jinja2 syntax (for CentOS; the 'openssh-server' should obviously be the actual package name). This conveniently lets you do things like:
{% if sshver > 6.5 %}
Option foo
{% else %}
OldOption bar
{% fi %}I have a regex pattern that will also work on e.g. Sun's SSH if you'd like to make it even more flexible (though admittedly I haven't tested it on any of the BSDs).
That said, the inconsistencies I know of are:
AuthorizedKeysCommandUseris, prior to OpenSSH 6.2, known asAuthorizedKeysCommandRunAs(I'd just recommend changing the option name in the sshd_config perhaps?)- The "Secure Secure Shell" recommendations should probably be default. Here's a convenient list of supported Kex, Ciphers, etc. between CentOS 6.10 and 7.6 (OpenSSH 5.3 and OpenSSH 7.4 respectively):
CentOS 6:
| ssh2-enum-algos:
| kex_algorithms: (4)
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (13)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| arcfour256
| arcfour128
| aes128-cbc
| 3des-cbc
| blowfish-cbc
| cast128-cbc
| aes192-cbc
| aes256-cbc
| arcfour
| rijndael-cbc@lysator.liu.se
| mac_algorithms: (9)
| hmac-md5
| hmac-sha1
| umac-64@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-ripemd160
| hmac-ripemd160@openssh.com
| hmac-sha1-96
| hmac-md5-96
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
CentOS 7:
| ssh2-enum-algos:
| kex_algorithms: (12)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (4)
| ssh-rsa
| rsa-sha2-512
| rsa-sha2-256
| ssh-ed25519
| encryption_algorithms: (12)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| aes128-cbc
| aes192-cbc
| aes256-cbc
| blowfish-cbc
| cast128-cbc
| 3des-cbc
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Which means, as per #26, the respective recommended defaults should then be:
CentOS 6:
KexAlgorithms diffie-hellman-group-exchange-sha256Ciphers aes256-ctr,aes192-ctr,aes128-ctrMACs hmac-sha2-512,hmac-sha2-256
CentOS 7:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctrMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Per @aboe76's concerns in #26 (comment), I have tested from both PuTTY and the built-in Windows SSH client (in Windows 10). All keys work as expected (PuTTY-generated RSA4096 and ED25519, Windows' ssh-keygen rsa with default options and ed25519 with default options; the RSA keys on both CentOS 6 and 7, the ED25519 keys on CentOS 7).