aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah <micah@riseup.net>2015-10-06 17:53:48 +0000
committerMicah <micah@riseup.net>2015-10-06 17:53:48 +0000
commite36a294dceb9504327af84c72f6fb6d4489aeea0 (patch)
tree9b0a8ce6d0f8b4499c0a0131f43570a7196ab4c4
parentabd504a5f459873f547ccdf4940c0ac5ae7fe874 (diff)
parent8acb349e8b116092599acc2e9083d5d6acb4086f (diff)
downloadpuppet-sshd-e36a294dceb9504327af84c72f6fb6d4489aeea0.tar.gz
puppet-sshd-e36a294dceb9504327af84c72f6fb6d4489aeea0.tar.bz2
Merge branch 'master' into 'master'
choose better MAC for squeeze and wheezy both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more. See merge request !19
-rw-r--r--templates/sshd_config/Debian_squeeze.erb2
-rw-r--r--templates/sshd_config/Debian_wheezy.erb2
2 files changed, 2 insertions, 2 deletions
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 5845a3d..1483480 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -117,7 +117,7 @@ AllowGroups <%= s %>
<% if scope.lookupvar('::sshd::hardened') == 'yes' -%>
Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
<% end -%>
<% unless (s=scope.lookupvar('::sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index f9a476b..bf52df7 100644
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -121,7 +121,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
<% else -%>
Ciphers aes256-ctr
-MACs hmac-sha1
+MACs hmac-sha2-512
<% end -%>
<% end -%>