Implement enhanced symmetric cipher selection, based on

https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed

templates/sshd_config/CentOS_6.erb

@@ -153,8 +153,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/CentOS_7.erb

@@ -167,8 +167,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Debian_jessie.erb

@@ -113,7 +113,7 @@ AllowGroups <%= s %>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
-Ciphers aes256-ctr
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Debian_sid.erb

@@ -113,7 +113,7 @@ AllowGroups <%= s %>
 
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 KexAlgorithms curve25519-sha256@libssh.org
-Ciphers aes256-ctr
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Debian_wheezy.erb

@@ -117,8 +117,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/FreeBSD.erb

@@ -155,8 +155,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Gentoo.erb

@@ -150,8 +150,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/OpenBSD.erb

@@ -131,8 +131,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Ubuntu.erb

@@ -118,8 +118,10 @@ AllowGroups <%= s %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>
 

templates/sshd_config/Ubuntu_lucid.erb

@@ -121,8 +121,10 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
 <% if scope.lookupvar('sshd::hardened') == 'yes' -%>
 <% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
 KexAlgorithms curve25519-sha256@libssh.org
-<% end -%>
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+<% else -%>
 Ciphers aes256-ctr
+<% end -%>
 MACs hmac-sha1
 <% end -%>