Implement enhanced MAC (Message Authentication Codes) according to
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
This commit is contained in:
Micah Anderson
parent
1402e67b21
commit
e4a9c15987
10 changed files with 18 additions and 10 deletions
|
|
@ -154,11 +154,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
|
|
|||
|
|
@ -168,11 +168,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ AllowGroups <%= s %>
|
|||
<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha1
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ AllowGroups <%= s %>
|
|||
<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha1
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
|
|
|
|||
|
|
@ -118,11 +118,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
|
|
@ -156,11 +156,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
|
|
@ -151,11 +151,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
|
|
@ -132,11 +132,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
|
|
@ -119,11 +119,12 @@ AllowGroups <%= s %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
|
|
@ -122,11 +122,12 @@ PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
|
|||
<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
|
||||
<% else -%>
|
||||
Ciphers aes256-ctr
|
||||
<% end -%>
|
||||
MACs hmac-sha1
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
|
||||
<%= s %>
|
||||
|
|
|
|||
Loading…
Reference in a new issue