Implement KexAlgorithms settings, based on Key exchange section of

https://stribika.github.io/2015/01/04/secure-secure-shell.html

Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.

diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb
index 97e9a5b49142a9eff6b4badf4ae62f364e450d7c..f27e5673618361095a46110f80945a8f335741ff 100644 (file)
--- a/templates/sshd_config/CentOS_6.erb
+++ b/templates/sshd_config/CentOS_6.erb
@@ -151,6 +151,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb
index cad9f59075eb9cd91c42eefe5782c875be0f5aa5..c6ecd0691330fa7d4c194f8a91a02647f761c077 100644 (file)
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@@ -165,6 +165,9 @@ AllowGroups <%= s %>
 #  CheckHostIP no
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb
index ada38912a3e3e3e6c6d5c996228ca88be3e299ca..19d4327ea05450a6bbd0aa59c91d9b467919b998 100644 (file)
--- a/templates/sshd_config/Debian_jessie.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@@ -112,6 +112,7 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index ada38912a3e3e3e6c6d5c996228ca88be3e299ca..19d4327ea05450a6bbd0aa59c91d9b467919b998 100644 (file)
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -112,6 +112,7 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index 4633c099fb92fca3aec84b4fc0f9c2b7a6063bfa..e8465eab4c12ce19c53893851f010018a75a6d4c 100644 (file)
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -115,6 +115,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index f5bd4390d853c87fbc5deff711234f26c6d82448..8655c53a5512d778f3b70ebb97532cebd3bbf439 100644 (file)
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -153,6 +153,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 6e51b4c92d286db8245a301274d32697f92793af..1508d707667c6e3487a1f7fcf34e5f84cceea70f 100644 (file)
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -148,6 +148,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index 7577bacd20195aa3657a054759cb509d7befea1e..591d980066c5edd5dbf10d630006922134d93c8e 100644 (file)
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -129,6 +129,9 @@ AllowGroups <%= s %>
 #      ForceCommand cvs server
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index d42fac109ec0ca75773bd4175e714fa8eb86ac30..28ee5f6609c5cc4770a6e0a99f025a4e6e531db0 100644 (file)
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -116,6 +116,9 @@ AllowGroups <%= s %>
 <%- end -%>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>

diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index 1ed8fd791acd5867c4b2ad15c83dfac1024ef194..36f787be0b5755dc39aae590be14ae2f5b534ccf 100644 (file)
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -119,6 +119,9 @@ AllowGroups <%= s %>
 PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+<% end -%>
 Ciphers aes256-ctr
 MACs hmac-sha1
 <% end -%>