choose better MAC for squeeze and wheezy

both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.

diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 5845a3dbd5a0ee0371c368ade313706b27d06b47..1483480bf7b6a0c6c80806e5efd056c18a397b75 100644 (file)
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -117,7 +117,7 @@ AllowGroups <%= s %>
 
 <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
 Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
 <% end -%>
 
 <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>

diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index f9a476b6ced05278857c43e97503ed70f008b733..bf52df77f18878a1188d1b62f680479bb18670ea 100644 (file)
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -121,7 +121,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
 <% end -%>
 <% end -%>