diff options
| author | intrigeri <intrigeri@boum.org> | 2011-03-06 09:10:44 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2011-06-21 00:27:55 +0200 |
| commit | 34863e959fcd05dd325a658561f14580d49b6764 (patch) | |
| tree | 5deef5ff63629e746d3b3abc6b36b4baf31d2331 | |
| parent | af76f6cfe70c416cbbf72f9c685a0d54c6eb4afb (diff) | |
| download | puppet-sshd-34863e959fcd05dd325a658561f14580d49b6764.tar.gz puppet-sshd-34863e959fcd05dd325a658561f14580d49b6764.tar.bz2 | |
New opt-in support to only use strong SSL ciphers and MACs.
The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | manifests/init.pp | 3 | ||||
| -rw-r--r-- | templates/sshd_config/CentOS.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_etch.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_sid.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 5 | ||||
| -rw-r--r-- | templates/sshd_config/Gentoo.erb | 4 | ||||
| -rw-r--r-- | templates/sshd_config/OpenBSD.erb | 5 |
9 files changed, 41 insertions, 0 deletions
@@ -170,6 +170,10 @@ The following is a list of the currently available variables: (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile %h/.ssh/authorized_keys + $sshd_hardened_ssl + Use only strong SSL ciphers and MAC. + Values: no or yes; Default: no. + $sshd_sftp_subsystem Set a different sftp-subystem than the default one. Might be interesting for sftponly usage. Default: empty -> no change of the default diff --git a/manifests/init.pp b/manifests/init.pp index 991fbba..cc5f10e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,6 +77,9 @@ class sshd { case $sshd_authorized_keys_file { '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" } } + case $sshd_hardened_ssl { + '': { $sshd_hardened_ssl = 'no' } + } case $sshd_sftp_subsystem { '': { $sshd_sftp_subsystem = '' } } diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb index 544effe..859759a 100644 --- a/templates/sshd_config/CentOS.erb +++ b/templates/sshd_config/CentOS.erb @@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb index c90a5fe..23559fc 100644 --- a/templates/sshd_config/Debian_etch.erb +++ b/templates/sshd_config/Debian_etch.erb @@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 14e32bf..65befdc 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %> PrintMotd no +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 6dc9333..0213342 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index cf50ddb..dfebcc3 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 768d3f5..f9f5b23 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %> AllowGroups <%= sshd_allowed_groups %> <%- end %> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> |