Introducing perfect forward secrecy for SSH

author Silvio Rhatto <rhatto@riseup.net>

Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)
diff --git a/manifests/init.pp b/manifests/init.pp

index c0a8cd5cbace8f55287ca8f97cc11ba21c7c4ed4..ede4fdc0bae552cf0a37f5607a7ca847e85e3696 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -217,6 +217,9 @@ class sshd {
    case $sshd_shared_ip {
      '': { $sshd_shared_ip = "no" }
    }
+  case $sshd_perfect_forward_secrecy {
+    '': { $sshd_perfect_forward_secrecy = "no" }
+  }
  
    include sshd::client 
  
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb

index 5f7afb481bb2ad583bb155ff7114a91be2a5dc29..3e4d1f760c200e41ff5a6a77118b2cf06dae1d52 100644 (file)
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -190,3 +190,7 @@ PrintMotd no
  <%= sshd_tail_additional_options %>
  <%- end %>
  
+<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end %>
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 16 Dec 2010 22:20:53 +0000 (20:20 -0200)
manifests/init.pp		patch \| blob \| history
templates/sshd_config/Debian_lenny.erb		patch \| blob \| history