aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md8
-rw-r--r--manifests/init.pp2
-rw-r--r--templates/sshd_config/CentOS_6.erb8
-rw-r--r--templates/sshd_config/CentOS_7.erb8
-rw-r--r--templates/sshd_config/Debian_jessie.erb7
-rw-r--r--templates/sshd_config/Debian_sid.erb7
-rw-r--r--templates/sshd_config/Debian_squeeze.erb2
-rw-r--r--templates/sshd_config/Debian_wheezy.erb8
-rw-r--r--templates/sshd_config/FreeBSD.erb8
-rw-r--r--templates/sshd_config/Gentoo.erb8
-rw-r--r--templates/sshd_config/OpenBSD.erb8
-rw-r--r--templates/sshd_config/Ubuntu.erb8
-rw-r--r--templates/sshd_config/Ubuntu_lucid.erb8
13 files changed, 72 insertions, 18 deletions
diff --git a/README.md b/README.md
index cbe0bba..77e4d29 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,10 @@
This puppet module manages OpenSSH configuration and services.
+**!! Upgrade Notice (05/2015) !!**
+
+The hardened_ssl parameter name was changed to simply 'hardened'.
+
**!! Upgrade Notice (01/2013) !!**
This module now uses parameterized classes, where it used global variables
@@ -179,8 +183,8 @@ The following is a list of the currently available variables:
Set this to the location of the AuthorizedKeysFile
(e.g. `/etc/ssh/authorized_keys/%u`). Default: `AuthorizedKeysFile
%h/.ssh/authorized_keys`
- - `hardened_ssl`
- Use only strong SSL ciphers and MAC.
+ - `hardened`
+ Use only strong ciphers, MAC, KexAlgorithms, etc.
Values:
- `no` (default)
- `yes`
diff --git a/manifests/init.pp b/manifests/init.pp
index 0f8c472..2dfc71c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -40,7 +40,7 @@ class sshd(
OpenBSD => '%h/.ssh/authorized_keys',
default => '%h/.ssh/authorized_keys %h/.ssh/authorized_keys2',
},
- $hardened_ssl = 'no',
+ $hardened = 'no',
$sftp_subsystem = '',
$head_additional_options = '',
$tail_additional_options = '',
diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb
index 47cb077..4c1e28a 100644
--- a/templates/sshd_config/CentOS_6.erb
+++ b/templates/sshd_config/CentOS_6.erb
@@ -150,10 +150,16 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb
index 7db2277..5acef6d 100644
--- a/templates/sshd_config/CentOS_7.erb
+++ b/templates/sshd_config/CentOS_7.erb
@@ -164,10 +164,16 @@ AllowGroups <%= s %>
#Host *.local
# CheckHostIP no
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb
index 033f409..0138acf 100644
--- a/templates/sshd_config/Debian_jessie.erb
+++ b/templates/sshd_config/Debian_jessie.erb
@@ -111,9 +111,10 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 033f409..0138acf 100644
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -111,9 +111,10 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
-Ciphers aes256-ctr
-MACs hmac-sha1
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 0ba323f..d42fac1 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -115,7 +115,7 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb
index cd4bf48..961b26d 100644
--- a/templates/sshd_config/Debian_wheezy.erb
+++ b/templates/sshd_config/Debian_wheezy.erb
@@ -114,10 +114,16 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb
index d4cd9b5..91b5e77 100644
--- a/templates/sshd_config/FreeBSD.erb
+++ b/templates/sshd_config/FreeBSD.erb
@@ -152,10 +152,16 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 1cb4522..ac6ae51 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -147,10 +147,16 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index aa92eb6..cc1c2b9 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -128,10 +128,16 @@ AllowGroups <%= s %>
# AllowTcpForwarding no
# ForceCommand cvs server
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb
index 0ba323f..29c1bf9 100644
--- a/templates/sshd_config/Ubuntu.erb
+++ b/templates/sshd_config/Ubuntu.erb
@@ -115,10 +115,16 @@ AllowUsers <%= s %>
AllowGroups <%= s %>
<%- end -%>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>
diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb
index cff95a7..550243f 100644
--- a/templates/sshd_config/Ubuntu_lucid.erb
+++ b/templates/sshd_config/Ubuntu_lucid.erb
@@ -118,10 +118,16 @@ AllowGroups <%= s %>
PrintMotd <%= scope.lookupvar('sshd::print_motd') %>
-<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%>
+<% if scope.lookupvar('sshd::hardened') == 'yes' -%>
+<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%>
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+<% else -%>
Ciphers aes256-ctr
MACs hmac-sha1
<% end -%>
+<% end -%>
<% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%>
<%= s %>