]> gitweb.fluxo.info Git - puppet-sshd.git/commitdiff
projects / puppet-sshd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1402e67)
Implement enhanced MAC (Message Authentication Codes) according to
authorMicah Anderson <micah@riseup.net>
Fri, 1 May 2015 18:00:56 +0000 (14:00 -0400)
committerMicah Anderson <micah@riseup.net>
Mon, 4 May 2015 19:42:26 +0000 (15:42 -0400)
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html

templates/sshd_config/CentOS_6.erb patch | blob | history
templates/sshd_config/CentOS_7.erb patch | blob | history
templates/sshd_config/Debian_jessie.erb patch | blob | history
templates/sshd_config/Debian_sid.erb patch | blob | history
templates/sshd_config/Debian_wheezy.erb patch | blob | history
templates/sshd_config/FreeBSD.erb patch | blob | history
templates/sshd_config/Gentoo.erb patch | blob | history
templates/sshd_config/OpenBSD.erb patch | blob | history
templates/sshd_config/Ubuntu.erb patch | blob | history
templates/sshd_config/Ubuntu_lucid.erb patch | blob | history

diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb
index 325c73a5e3128d5e9da431080e1a0da25b199b79..4c1e28af8882ad922fadea4d891a9c407064745f 100644 (file)
--- a/templates/sshd_config/CentOS_6.erb
+++ b/templates/sshd_config/CentOS_6.erb
@@ -154,11 +154,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb
index b120356227f2e004ec4ceb4593be1592257141ba..5acef6d9c20fca6edb06b2116a8de8b0b183230f 100644 (file)
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@@ -168,11 +168,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb
index 7b74e7677c3407d7bc50df9f00a4b031bcdd6a25..0138acfbd3264915008f1817c32990f2a1df4666 100644 (file)
--- a/templates/sshd_config/Debian_jessie.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@@ -114,7 +114,7 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 7b74e7677c3407d7bc50df9f00a4b031bcdd6a25..0138acfbd3264915008f1817c32990f2a1df4666 100644 (file)
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -114,7 +114,7 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index 214fbd9bff3bc8df20ad14eee8493eb5dfbbfbe6..961b26d9468d63a67c7d4422c19bb50e531260cb 100644 (file)
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -118,11 +118,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index 3e1332879c81ed23151f0e48917d6987af3a127a..91b5e77a9a2c7a3758561ac85e534e3bbe5574a6 100644 (file)
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -156,11 +156,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 3d37d62c20ae2310618d23884384b8070eab1358..ac6ae51fc789b96abfc8bf36e3b75653aa3bab69 100644 (file)
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -151,11 +151,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index aa6868ea14d7b3006dd38937cefb6819178a4f17..cc1c2b9e739a958608d3c451a64ebb84cc000d27 100644 (file)
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -132,11 +132,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index 2f8cb3e15c64b1032a1f13fcdd0a1839d8fa8e72..29c1bf90cbb91da022a08e09c78f876f19f177d2 100644 (file)
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -119,11 +119,12 @@ AllowGroups <%= s %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index 109b49f335f0724bce0a7e5550440a353d6b3e77..550243f6d6ae71a6fa0ddf7f9f984a64788be68e 100644 (file)
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -122,11 +122,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-<% end -%>
 MACs hmac-sha1
 <% end -%>
+<% end -%>
 
 <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
 <%= s %>
Puppet module for sshd