]> gitweb.fluxo.info Git - puppet-sshd.git/commitdiff
projects / puppet-sshd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 430c482)
Implement enhanced symmetric cipher selection, based on
authorMicah Anderson <micah@riseup.net>
Fri, 1 May 2015 17:57:37 +0000 (13:57 -0400)
committerMicah Anderson <micah@riseup.net>
Mon, 4 May 2015 19:42:26 +0000 (15:42 -0400)
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed

templates/sshd_config/CentOS_6.erb patch | blob | history
templates/sshd_config/CentOS_7.erb patch | blob | history
templates/sshd_config/Debian_jessie.erb patch | blob | history
templates/sshd_config/Debian_sid.erb patch | blob | history
templates/sshd_config/Debian_wheezy.erb patch | blob | history
templates/sshd_config/FreeBSD.erb patch | blob | history
templates/sshd_config/Gentoo.erb patch | blob | history
templates/sshd_config/OpenBSD.erb patch | blob | history
templates/sshd_config/Ubuntu.erb patch | blob | history
templates/sshd_config/Ubuntu_lucid.erb patch | blob | history

diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb
index f27e5673618361095a46110f80945a8f335741ff..325c73a5e3128d5e9da431080e1a0da25b199b79 100644 (file)
--- a/templates/sshd_config/CentOS_6.erb
+++ b/templates/sshd_config/CentOS_6.erb
@@ -153,8 +153,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb
index c6ecd0691330fa7d4c194f8a91a02647f761c077..b120356227f2e004ec4ceb4593be1592257141ba 100644 (file)
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@@ -167,8 +167,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb
index 19d4327ea05450a6bbd0aa59c91d9b467919b998..7b74e7677c3407d7bc50df9f00a4b031bcdd6a25 100644 (file)
--- a/templates/sshd_config/Debian_jessie.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@@ -113,7 +113,7 @@ AllowGroups <%= s %>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
-Ciphers aes256-ctr
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 19d4327ea05450a6bbd0aa59c91d9b467919b998..7b74e7677c3407d7bc50df9f00a4b031bcdd6a25 100644 (file)
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -113,7 +113,7 @@ AllowGroups <%= s %>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
-Ciphers aes256-ctr
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index e8465eab4c12ce19c53893851f010018a75a6d4c..214fbd9bff3bc8df20ad14eee8493eb5dfbbfbe6 100644 (file)
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -117,8 +117,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index 8655c53a5512d778f3b70ebb97532cebd3bbf439..3e1332879c81ed23151f0e48917d6987af3a127a 100644 (file)
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -155,8 +155,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 1508d707667c6e3487a1f7fcf34e5f84cceea70f..3d37d62c20ae2310618d23884384b8070eab1358 100644 (file)
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -150,8 +150,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index 591d980066c5edd5dbf10d630006922134d93c8e..aa6868ea14d7b3006dd38937cefb6819178a4f17 100644 (file)
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -131,8 +131,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index 28ee5f6609c5cc4770a6e0a99f025a4e6e531db0..2f8cb3e15c64b1032a1f13fcdd0a1839d8fa8e72 100644 (file)
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -118,8 +118,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index 36f787be0b5755dc39aae590be14ae2f5b534ccf..109b49f335f0724bce0a7e5550440a353d6b3e77 100644 (file)
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -121,8 +121,10 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 
Puppet module for sshd