summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2015-11-09 17:12:00 +0100
committervarac <varacanero@zeromail.org>2015-11-17 23:11:20 +0100
commit41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 (patch)
tree316fe5b88cd462a66819e3ea011d41185ecea496
parentd3501d3e81a4a31248829a59ae68a15da4034bf8 (diff)
[bug] Don't limit sshd KexAlgorithms
- #7591 Net::SSH::Exception: could not settle on kex algorithm We need to disable the ssh hardened mode, because it will not work together with the net-ssh gem leap_cli is pinned to. All other options that would be included by this parameter are included by '$::sshd::tail_additional_options'.
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp23
1 files changed, 16 insertions, 7 deletions
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 170be32c..e92a6af7 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,3 +1,4 @@
+# configures sshd, mosh, authorized keys and known hosts
class site_sshd {
$ssh = hiera_hash('ssh')
$ssh_config = $ssh['config']
@@ -53,12 +54,20 @@ class site_sshd {
## SSHD SERVER CONFIGURATION
##
class { '::sshd':
- manage_nagios => false,
- ports => [ $ssh['port'] ],
- use_pam => 'yes',
- hardened_ssl => 'yes',
- print_motd => 'no',
- tcp_forwarding => $ssh_config['AllowTcpForwarding'],
- manage_client => false
+ manage_nagios => false,
+ ports => [ $ssh['port'] ],
+ use_pam => 'yes',
+ print_motd => 'no',
+ tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+ manage_client => false,
+ use_storedconfigs => true,
+ # we cannot use the 'hardened' parameter because leap_cli uses an
+ # old net-ssh gem that is incompatible with the included
+ # "KexAlgorithms curve25519-sha256@libssh.org",
+ # see https://leap.se/code/issues/7591
+ # therefore we don't use it here, but include all other options
+ # that would be applied by the 'hardened' parameter
+ tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
}
}