choose better MAC for squeeze and wheezy

both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
2015-09-11 16:01:02 -07:00 · 2015-09-11 16:01:02 -07:00 · 8acb349e8b
commit 8acb349e8b
parent abd504a5f4
2 changed files with 2 additions and 2 deletions
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@ -117,7 +117,7 @@ AllowGroups <%= s %>

 <% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
 Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
 <% end -%>

 <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@ -121,7 +121,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
 <% else -%>
 Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
 <% end -%>
 <% end -%>