From cf815a6652876de737cad0187c217be000359768 Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Wed, 15 Jul 2020 14:35:18 -0400 Subject: [PATCH] Added hardened OpenSSH policies. --- policies/openssh_7_7.txt | 21 +++++++++++++++++++++ policies/openssh_7_8.txt | 21 +++++++++++++++++++++ policies/openssh_7_9.txt | 21 +++++++++++++++++++++ policies/openssh_8_0.txt | 21 +++++++++++++++++++++ policies/openssh_8_1.txt | 21 +++++++++++++++++++++ policies/openssh_8_2.txt | 25 +++++++++++++++++++++++++ policies/openssh_8_3.txt | 25 +++++++++++++++++++++++++ 7 files changed, 155 insertions(+) create mode 100644 policies/openssh_7_7.txt create mode 100644 policies/openssh_7_8.txt create mode 100644 policies/openssh_7_9.txt create mode 100644 policies/openssh_8_0.txt create mode 100644 policies/openssh_8_1.txt create mode 100644 policies/openssh_8_2.txt create mode 100644 policies/openssh_8_3.txt diff --git a/policies/openssh_7_7.txt b/policies/openssh_7_7.txt new file mode 100644 index 0000000..57773ce --- /dev/null +++ b/policies/openssh_7_7.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH v7.7. +# + +name = "Hardened OpenSSH v7.7" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_7_8.txt b/policies/openssh_7_8.txt new file mode 100644 index 0000000..046ed72 --- /dev/null +++ b/policies/openssh_7_8.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH v7.8. +# + +name = "Hardened OpenSSH v7.8" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_7_9.txt b/policies/openssh_7_9.txt new file mode 100644 index 0000000..5477b82 --- /dev/null +++ b/policies/openssh_7_9.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH v7.9. +# + +name = "Hardened OpenSSH v7.9" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_8_0.txt b/policies/openssh_8_0.txt new file mode 100644 index 0000000..3dad2b1 --- /dev/null +++ b/policies/openssh_8_0.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH v8.0. +# + +name = "Hardened OpenSSH v8.0" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_8_1.txt b/policies/openssh_8_1.txt new file mode 100644 index 0000000..6cdfc3c --- /dev/null +++ b/policies/openssh_8_1.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH v8.1. +# + +name = "Hardened OpenSSH v8.1" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_8_2.txt b/policies/openssh_8_2.txt new file mode 100644 index 0000000..569d3a6 --- /dev/null +++ b/policies/openssh_8_2.txt @@ -0,0 +1,25 @@ +# +# Official policy for hardened OpenSSH v8.2. +# + +name = "Hardened OpenSSH v8.2" +version = 1 + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 4096 +hostkey_size_rsa-sha2-512 = 4096 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/openssh_8_3.txt b/policies/openssh_8_3.txt new file mode 100644 index 0000000..b1f5064 --- /dev/null +++ b/policies/openssh_8_3.txt @@ -0,0 +1,25 @@ +# +# Official policy for hardened OpenSSH v8.3. +# + +name = "Hardened OpenSSH v8.3" +version = 1 + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 4096 +hostkey_size_rsa-sha2-512 = 4096 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com