From d146d1525adfe1f08be9df0f72aac389e2370de5 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 19 Nov 2015 00:10:23 +0100
Subject: [bug] Use right sshd Ciphers and MACs for wheezy

- Tested: [unstable.bitmask.net]
---
 puppet/modules/site_sshd/manifests/init.pp | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

(limited to 'puppet/modules/site_sshd')

diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index e92a6af7..5efd459f 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -50,6 +50,21 @@ class site_sshd {
     }
   }
 
+  # we cannot use the 'hardened' parameter because leap_cli uses an
+  # old net-ssh gem that is incompatible with the included
+  # "KexAlgorithms curve25519-sha256@libssh.org",
+  # see https://leap.se/code/issues/7591
+  # therefore we don't use it here, but include all other options
+  # that would be applied by the 'hardened' parameter
+  # not all options are available on wheezy
+  if ( $::lsbdistcodename == 'wheezy' ) {
+    $tail_additional_options = 'Ciphers aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+  } else {
+    $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+  }
+
   ##
   ## SSHD SERVER CONFIGURATION
   ##
@@ -61,13 +76,6 @@ class site_sshd {
     tcp_forwarding          => $ssh_config['AllowTcpForwarding'],
     manage_client           => false,
     use_storedconfigs       => true,
-    # we cannot use the 'hardened' parameter because leap_cli uses an
-    # old net-ssh gem that is incompatible with the included
-    # "KexAlgorithms curve25519-sha256@libssh.org",
-    # see https://leap.se/code/issues/7591
-    # therefore we don't use it here, but include all other options
-    # that would be applied by the 'hardened' parameter
-    tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
+    tail_additional_options => $tail_additional_options
   }
 }
-- 
cgit v1.2.3