]> gitweb.fluxo.info Git - puppet-sshd.git/commitdiff
projects / puppet-sshd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1bc341a)
Remove deprecated/unsafe algorithms from hardened config as reported by ssh-audit.py
authorSilvio Rhatto <rhatto@riseup.net>
Tue, 25 Sep 2018 21:17:02 +0000 (18:17 -0300)
committerSilvio Rhatto <rhatto@riseup.net>
Tue, 25 Sep 2018 21:17:02 +0000 (18:17 -0300)
templates/sshd_config/Debian_buster.erb patch | blob | history
templates/sshd_config/Debian_stretch.erb patch | blob | history
templates/sshd_config/Ubuntu_bionic.erb patch | blob | history

diff --git a/templates/sshd_config/Debian_buster.erb b/templates/sshd_config/Debian_buster.erb
index 33c874be2ec72afdc35d9fa7e3784f73f85ebc43..0a4fd31dcca7112e94d7cbd0d5f92c75871b1aa4 100644 (file)
--- a/templates/sshd_config/Debian_buster.erb
+++ b/templates/sshd_config/Debian_buster.erb
@@ -114,9 +114,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
-KexAlgorithms curve25519-sha256@libssh.org
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-ctr,aes128-gcm@openssh.com,aes192-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_stretch.erb b/templates/sshd_config/Debian_stretch.erb
index 91dbfff021c824d07b2a1bd1b87396d240e09052..0a4fd31dcca7112e94d7cbd0d5f92c75871b1aa4 100644 (file)
--- a/templates/sshd_config/Debian_stretch.erb
+++ b/templates/sshd_config/Debian_stretch.erb
@@ -114,9 +114,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
-KexAlgorithms curve25519-sha256@libssh.org
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-ctr,aes128-gcm@openssh.com,aes192-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Ubuntu_bionic.erb b/templates/sshd_config/Ubuntu_bionic.erb
index ae2d67b807bde42392126b3a36de5e0797e4a4e0..dbf413f2c4ae6ab8ac9fc80ec306438c8324679c 100644 (file)
--- a/templates/sshd_config/Ubuntu_bionic.erb
+++ b/templates/sshd_config/Ubuntu_bionic.erb
@@ -118,9 +118,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
-KexAlgorithms curve25519-sha256@libssh.org
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-ctr,aes128-gcm@openssh.com,aes192-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
Puppet module for sshd