Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshd

author Silvio Rhatto <rhatto@riseup.net>

Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)
diff --cc templates/sshd_config/FreeBSD.erb

index 81b7e10285497a3047f852e79e347ea9506e7dfd,5298ade93e01b7062c0e4c68c20df11aa1e94a65..40a4caad3b95d3f194043d133bf92f66cac4a532
--- 1/templates/sshd_config/FreeBSD.erb
--- 2/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@@ -151,11 -152,17 +152,17 @@@ AllowUsers <%= s %
   AllowGroups <%= s %>
   <%- end -%>
   
- <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+ <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
+ <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+ KexAlgorithms curve25519-sha256@libssh.org
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ <% else -%>
   Ciphers aes256-ctr
- -MACs hmac-sha1
+ +MACs hmac-sha2-512
   <% end -%>
+ <% end -%>
   
- <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+ <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
   <%= s %>
   <% end -%>
diff --cc templates/sshd_config/Gentoo.erb

index cdd51d845bb1a3ba0af9887d0116db8ad68efd0a,022a26e7c95f26f2bb073d0fc325fd44663b824d..753e24a5ecdf8835cc378c8b7bf9382a3e2edd3b
--- 1/templates/sshd_config/Gentoo.erb
--- 2/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@@ -147,12 -147,18 +147,18 @@@ AllowUsers <%= s %
   AllowGroups <%= s %>
   <%- end -%>
   
- <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+ <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
+ <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+ KexAlgorithms curve25519-sha256@libssh.org
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ <% else -%>
   Ciphers aes256-ctr
- -MACs hmac-sha1
+ +MACs hmac-sha2-512
   <% end -%>
+ <% end -%>
   
- <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+ <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
   <%= s %>
   <% end -%>
   
diff --cc templates/sshd_config/OpenBSD.erb

index ea6e8a859068e4d76879549df1b78b005bbc2da9,db730300adb2795b927df48cdc3c7b156eb51118..aec299cde936f284348c10226cc990452dde8cce
--- 1/templates/sshd_config/OpenBSD.erb
--- 2/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@@ -128,11 -128,17 +128,17 @@@ AllowGroups <%= s %
   #     AllowTcpForwarding no
   #     ForceCommand cvs server
   
- <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+ <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
+ <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+ KexAlgorithms curve25519-sha256@libssh.org
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ <% else -%>
   Ciphers aes256-ctr
- -MACs hmac-sha1
+ +MACs hmac-sha2-512
   <% end -%>
+ <% end -%>
   
- <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+ <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
   <%= s %>
   <% end -%>
diff --cc templates/sshd_config/Ubuntu.erb

index 40040d1b0a01969e5bbfaf28bcd6a919605e0797,a326ab87714ba320ad40b53beedf3fc62d1e667a..1adb4f263a06f04f4e69058bbd147b8c74a91455
--- 1/templates/sshd_config/Ubuntu.erb
--- 2/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@@ -113,11 -117,17 +117,17 @@@ AllowUsers <%= s %
   AllowGroups <%= s %>
   <%- end -%>
   
- <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+ <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
+ <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+ KexAlgorithms curve25519-sha256@libssh.org
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ <% else -%>
   Ciphers aes256-ctr
- -MACs hmac-sha1
+ +MACs hmac-sha2-512
   <% end -%>
+ <% end -%>
   
- <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+ <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
   <%= s %>
   <% end -%>
diff --cc templates/sshd_config/Ubuntu_lucid.erb

index 4d5f6405de583bfa378d5fff6c4dbf69d79ddce5,be7c56d038c16ca2628afef63fd49bd53441b2e2..4d147a2d74125a14416b79d4555ba09168a0e039
--- 1/templates/sshd_config/Ubuntu_lucid.erb
--- 2/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@@ -114,13 -118,19 +118,19 @@@ AllowUsers <%= s %
   AllowGroups <%= s %>
   <%- end -%>
   
- PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
+ PrintMotd <%= scope.lookupvar('::sshd::print_motd') %>
   
- <% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+ <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
+ <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+ KexAlgorithms curve25519-sha256@libssh.org
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ <% else -%>
   Ciphers aes256-ctr
- -MACs hmac-sha1
+ +MACs hmac-sha2-512
   <% end -%>
+ <% end -%>
   
- <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
+ <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
   <%= s %>
   <% end -%>
author	Silvio Rhatto <rhatto@riseup.net>
	Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Sat, 19 Mar 2016 13:17:30 +0000 (10:17 -0300)
		1	2
templates/sshd_config/FreeBSD.erb	patch \|	diff1 \|	diff2 \|	blob \| history
templates/sshd_config/Gentoo.erb	patch \|	diff1 \|	diff2 \|	blob \| history
templates/sshd_config/OpenBSD.erb	patch \|	diff1 \|	diff2 \|	blob \| history
templates/sshd_config/Ubuntu.erb	patch \|	diff1 \|	diff2 \|	blob \| history
templates/sshd_config/Ubuntu_lucid.erb	patch \|	diff1 \|	diff2 \|	blob \| history