diff options
author | Micah <micah@riseup.net> | 2015-10-06 17:53:48 +0000 |
---|---|---|
committer | Micah <micah@riseup.net> | 2015-10-06 17:53:48 +0000 |
commit | e36a294dceb9504327af84c72f6fb6d4489aeea0 (patch) | |
tree | 9b0a8ce6d0f8b4499c0a0131f43570a7196ab4c4 | |
parent | abd504a5f459873f547ccdf4940c0ac5ae7fe874 (diff) | |
parent | 8acb349e8b116092599acc2e9083d5d6acb4086f (diff) | |
download | puppet-sshd-e36a294dceb9504327af84c72f6fb6d4489aeea0.tar.gz puppet-sshd-e36a294dceb9504327af84c72f6fb6d4489aeea0.tar.bz2 |
Merge branch 'master' into 'master'
choose better MAC for squeeze and wheezy
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
See merge request !19
-rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 2 | ||||
-rw-r--r-- | templates/sshd_config/Debian_wheezy.erb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 5845a3d..1483480 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -117,7 +117,7 @@ AllowGroups <%= s %> <% if scope.lookupvar('::sshd::hardened') == 'yes' -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index f9a476b..bf52df7 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -121,7 +121,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% else -%> Ciphers aes256-ctr -MACs hmac-sha1 +MACs hmac-sha2-512 <% end -%> <% end -%> |