From: intrigeri <intrigeri@boum.org>
Date: Sun, 6 Mar 2011 08:10:44 +0000 (+0100)
Subject: New opt-in support to only use strong SSL ciphers and MACs.
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=34863e959fcd05dd325a658561f14580d49b6764;p=puppet-sshd.git

New opt-in support to only use strong SSL ciphers and MACs.

The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
---

diff --git a/README b/README
index fa4214d..9cf253f 100644
--- a/README
+++ b/README
@@ -170,6 +170,10 @@ The following is a list of the currently available variables:
     (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile
     %h/.ssh/authorized_keys
 
+ $sshd_hardened_ssl
+    Use only strong SSL ciphers and MAC.
+    Values: no or yes; Default: no.
+
  $sshd_sftp_subsystem
     Set a different sftp-subystem than the default one. Might be interesting for
     sftponly usage. Default: empty -> no change of the default
diff --git a/manifests/init.pp b/manifests/init.pp
index 991fbba..cc5f10e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -77,6 +77,9 @@ class sshd {
   case $sshd_authorized_keys_file {
     '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
   }
+  case $sshd_hardened_ssl {
+    '': { $sshd_hardened_ssl = 'no' }
+  }
   case $sshd_sftp_subsystem {
     '': { $sshd_sftp_subsystem = '' }
   }
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 544effe..859759a 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end -%>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index c90a5fe..23559fc 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 14e32bf..65befdc 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 6dc9333..0213342 100644
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index cf50ddb..dfebcc3 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 768d3f5..f9f5b23 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
 
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index 51662d3..7a20cd9 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>