diff options
author | varac <varacanero@zeromail.org> | 2015-11-09 17:12:00 +0100 |
---|---|---|
committer | varac <varacanero@zeromail.org> | 2015-11-17 23:11:20 +0100 |
commit | 41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 (patch) | |
tree | 316fe5b88cd462a66819e3ea011d41185ecea496 | |
parent | d3501d3e81a4a31248829a59ae68a15da4034bf8 (diff) |
[bug] Don't limit sshd KexAlgorithms
- #7591 Net::SSH::Exception: could not settle on kex algorithm
We need to disable the ssh hardened mode, because it will not work
together with the net-ssh gem leap_cli is pinned to.
All other options that would be included by this parameter are
included by '$::sshd::tail_additional_options'.
-rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 170be32c..e92a6af7 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,3 +1,4 @@ +# configures sshd, mosh, authorized keys and known hosts class site_sshd { $ssh = hiera_hash('ssh') $ssh_config = $ssh['config'] @@ -53,12 +54,20 @@ class site_sshd { ## SSHD SERVER CONFIGURATION ## class { '::sshd': - manage_nagios => false, - ports => [ $ssh['port'] ], - use_pam => 'yes', - hardened_ssl => 'yes', - print_motd => 'no', - tcp_forwarding => $ssh_config['AllowTcpForwarding'], - manage_client => false + manage_nagios => false, + ports => [ $ssh['port'] ], + use_pam => 'yes', + print_motd => 'no', + tcp_forwarding => $ssh_config['AllowTcpForwarding'], + manage_client => false, + use_storedconfigs => true, + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' } } |