diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2010-12-16 20:20:53 -0200 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2010-12-16 20:20:53 -0200 |
| commit | 30a4593a05a09b669a9cd8fff4318779a532b123 (patch) | |
| tree | 6d29732b54f3e845d3bb355491df3200315e043e | |
| parent | 2c9e690d90e8fda3ad9b9ed7dc755c198127df7d (diff) | |
| download | puppet-sshd-30a4593a05a09b669a9cd8fff4318779a532b123.tar.gz puppet-sshd-30a4593a05a09b669a9cd8fff4318779a532b123.tar.bz2 | |
Introducing perfect forward secrecy for SSH
| -rw-r--r-- | manifests/init.pp | 3 | ||||
| -rw-r--r-- | templates/sshd_config/Debian_lenny.erb | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index c0a8cd5..ede4fdc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -217,6 +217,9 @@ class sshd { case $sshd_shared_ip { '': { $sshd_shared_ip = "no" } } + case $sshd_perfect_forward_secrecy { + '': { $sshd_perfect_forward_secrecy = "no" } + } include sshd::client diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb index 5f7afb4..3e4d1f7 100644 --- a/templates/sshd_config/Debian_lenny.erb +++ b/templates/sshd_config/Debian_lenny.erb @@ -190,3 +190,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_perfect_forward_secrecy.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end %> |