From 41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Mon, 9 Nov 2015 17:12:00 +0100
Subject: [bug] Don't limit sshd KexAlgorithms

- #7591 Net::SSH::Exception: could not settle on kex algorithm

  We need to disable the ssh hardened mode, because it will not work
  together with the net-ssh gem leap_cli is pinned to.

  All other options that would be included by this parameter are
  included by '$::sshd::tail_additional_options'.
---
 puppet/modules/site_sshd/manifests/init.pp | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'puppet/modules/site_sshd/manifests')

diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 170be32c..e92a6af7 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,3 +1,4 @@
+# configures sshd, mosh, authorized keys and known hosts
 class site_sshd {
   $ssh        = hiera_hash('ssh')
   $ssh_config = $ssh['config']
@@ -53,12 +54,20 @@ class site_sshd {
   ## SSHD SERVER CONFIGURATION
   ##
   class { '::sshd':
-    manage_nagios  => false,
-    ports          => [ $ssh['port'] ],
-    use_pam        => 'yes',
-    hardened_ssl   => 'yes',
-    print_motd     => 'no',
-    tcp_forwarding => $ssh_config['AllowTcpForwarding'],
-    manage_client  => false
+    manage_nagios           => false,
+    ports                   => [ $ssh['port'] ],
+    use_pam                 => 'yes',
+    print_motd              => 'no',
+    tcp_forwarding          => $ssh_config['AllowTcpForwarding'],
+    manage_client           => false,
+    use_storedconfigs       => true,
+    # we cannot use the 'hardened' parameter because leap_cli uses an
+    # old net-ssh gem that is incompatible with the included
+    # "KexAlgorithms curve25519-sha256@libssh.org",
+    # see https://leap.se/code/issues/7591
+    # therefore we don't use it here, but include all other options
+    # that would be applied by the 'hardened' parameter
+    tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
   }
 }
-- 
cgit v1.2.3