From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 16 Dec 2010 22:20:53 +0000 (-0200)
Subject: Introducing perfect forward secrecy for SSH
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=30a4593a05a09b669a9cd8fff4318779a532b123;p=puppet-sshd.git

Introducing perfect forward secrecy for SSH
---

diff --git a/manifests/init.pp b/manifests/init.pp
index c0a8cd5..ede4fdc 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -217,6 +217,9 @@ class sshd {
   case $sshd_shared_ip {
     '': { $sshd_shared_ip = "no" }
   }
+  case $sshd_perfect_forward_secrecy {
+    '': { $sshd_perfect_forward_secrecy = "no" }
+  }
 
   include sshd::client 
 
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 5f7afb4..3e4d1f7 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -190,3 +190,7 @@ PrintMotd no
 <%= sshd_tail_additional_options %>
 <%- end %>
 
+<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end %>