| Age | Commit message (Collapse) | Author |
|---|
|
disable the debian/ubuntu package version from being sent to clients
dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros.
See merge request !17
|
|
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
|
|
|
|
|
|
|
|
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html and
version of openssh installed
|
|
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Note, that on some systems it is uncertain if they will have a new
enough version of openssh installed, so on those a version test is done
to see before setting them.
|
|
sense in general
|
|
types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
|
|
This reverts commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6.
These shitty NIST curves are no good
|
|
|
|
|
|
|
|
Currently, this is a symlink to the Debian sid's one, which I've recently
resync'd. Once Wheezy is frozen, we'll want to fork its own template.
|
