diff options
| author | varac <varacanero@zeromail.org> | 2015-11-19 00:10:23 +0100 |
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2015-11-19 00:10:23 +0100 |
| commit | d146d1525adfe1f08be9df0f72aac389e2370de5 (patch) | |
| tree | 23590283793a18e24701071225d73dd370288b82 /puppet/modules/site_sshd | |
| parent | 41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 (diff) | |
[bug] Use right sshd Ciphers and MACs for wheezy
- Tested: [unstable.bitmask.net]
Diffstat (limited to 'puppet/modules/site_sshd')
| -rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e92a6af7..5efd459f 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -50,6 +50,21 @@ class site_sshd { } } + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + # not all options are available on wheezy + if ( $::lsbdistcodename == 'wheezy' ) { + $tail_additional_options = 'Ciphers aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } else { + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } + ## ## SSHD SERVER CONFIGURATION ## @@ -61,13 +76,6 @@ class site_sshd { tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => true, - # we cannot use the 'hardened' parameter because leap_cli uses an - # old net-ssh gem that is incompatible with the included - # "KexAlgorithms curve25519-sha256@libssh.org", - # see https://leap.se/code/issues/7591 - # therefore we don't use it here, but include all other options - # that would be applied by the 'hardened' parameter - tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + tail_additional_options => $tail_additional_options } } |