summaryrefslogtreecommitdiff
path: root/puppet/modules/site_sshd
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2015-11-19 00:10:23 +0100
committervarac <varacanero@zeromail.org>2015-11-19 00:10:23 +0100
commitd146d1525adfe1f08be9df0f72aac389e2370de5 (patch)
tree23590283793a18e24701071225d73dd370288b82 /puppet/modules/site_sshd
parent41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 (diff)
[bug] Use right sshd Ciphers and MACs for wheezy
- Tested: [unstable.bitmask.net]
Diffstat (limited to 'puppet/modules/site_sshd')
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp24
1 files changed, 16 insertions, 8 deletions
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index e92a6af7..5efd459f 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -50,6 +50,21 @@ class site_sshd {
}
}
+ # we cannot use the 'hardened' parameter because leap_cli uses an
+ # old net-ssh gem that is incompatible with the included
+ # "KexAlgorithms curve25519-sha256@libssh.org",
+ # see https://leap.se/code/issues/7591
+ # therefore we don't use it here, but include all other options
+ # that would be applied by the 'hardened' parameter
+ # not all options are available on wheezy
+ if ( $::lsbdistcodename == 'wheezy' ) {
+ $tail_additional_options = 'Ciphers aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ } else {
+ $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ }
+
##
## SSHD SERVER CONFIGURATION
##
@@ -61,13 +76,6 @@ class site_sshd {
tcp_forwarding => $ssh_config['AllowTcpForwarding'],
manage_client => false,
use_storedconfigs => true,
- # we cannot use the 'hardened' parameter because leap_cli uses an
- # old net-ssh gem that is incompatible with the included
- # "KexAlgorithms curve25519-sha256@libssh.org",
- # see https://leap.se/code/issues/7591
- # therefore we don't use it here, but include all other options
- # that would be applied by the 'hardened' parameter
- tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
+ tail_additional_options => $tail_additional_options
}
}