aboutsummaryrefslogtreecommitdiff
path: root/templates/sshd_config
AgeCommit message (Collapse)Author
2021-04-12Feat: Ubuntu Focal template (2)Silvio Rhatto
2021-04-12Feat: Ubuntu Focal templateSilvio Rhatto
2018-09-25Remove deprecated/unsafe algorithms from hardened config as reported by ↵Silvio Rhatto
ssh-audit.py
2018-09-14Adds Ubuntu bionic configSilvio Rhatto
2018-09-14Removes hmac-ripemd160 from hardened config due to OpenSSH 7.6 deprecationSilvio Rhatto
2018-08-01Adds buster configSilvio Rhatto
2017-06-05Merge branch 'master' into developSilvio Rhatto
2017-06-05Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshdHEADmasterSilvio Rhatto
2016-11-20Add sshd_config template for Debian Stretch.bertagaz
2016-03-21Fact ::ssh_version not being evaluated in templates at wheezy and trustySilvio Rhatto
2016-03-19Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshdSilvio Rhatto
Conflicts: README templates/sshd_config/CentOS.erb templates/sshd_config/CentOS_Final.erb templates/sshd_config/Debian_etch.erb templates/sshd_config/Debian_jessie.erb templates/sshd_config/Debian_sid.erb templates/sshd_config/Debian_squeeze.erb templates/sshd_config/Debian_wheezy.erb templates/sshd_config/Ubuntu_trusty.erb
2015-11-03[feat] [feat] Support missing ubuntu releasesvarac
Add quantal, raring, saucy, trusty, utopic, vivid, wily, xenial ubuntu release
2015-10-19Ubuntu trusty configSilvio Rhatto
2015-10-09Merge branch 'disable_debian_banner' into 'master' Jerome Charaoui
disable the debian/ubuntu package version from being sent to clients dkg pointed out to riseup that our ssh servers were revealing the package version to clients, which is controlled by the DebianBanner config option. It exists in both Debian and Ubuntu and defaults to 'yes', so we explicitly set it to 'no' in the templates for those distros. See merge request !17
2015-09-11choose better MAC for squeeze and wheezyMatt Taggart
both squeeze (1:5.5p1-6+squeeze6) and wheezy (1:6.0p1-4+deb7u2) have MACs better than hmac-sha1 available in the default search, they both have hmac-sha2-512, hmac-sha2-256, and hmac-ripemd160. So switch to using hmac-sha2-512, which lets us lock down the client MACs more.
2015-06-08Facter values changed in 2.x for XenServerJerome Charaoui
2015-05-22disable the debian/ubuntu package version from being sent to clientsMatt Taggart
2015-05-15add jessie config templatedb
2015-05-13sync LoginGraceTime with debian defaultsAntoine Beaupré
2015-05-07Adjust variable lookup in templates to silence deprecation warnings, fixes #1Jerome Charaoui
2015-05-04Implement enhanced MAC (Message Authentication Codes) according toMicah Anderson
installed version of openssh and https://stribika.github.io/2015/01/04/secure-secure-shell.html
2015-05-04Implement enhanced symmetric cipher selection, based onMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html and version of openssh installed
2015-05-04Implement KexAlgorithms settings, based on Key exchange section ofMicah Anderson
https://stribika.github.io/2015/01/04/secure-secure-shell.html Note, that on some systems it is uncertain if they will have a new enough version of openssh installed, so on those a version test is done to see before setting them.
2015-05-04Change 'hardened_ssl' paramter to simply 'hardened', this makes moreMicah Anderson
sense in general
2015-05-01remove Debian Lenny supportMicah Anderson
2015-04-17Merge remote-tracking branch 'micah/remove_etch' into sharedAntoine Beaupré
Conflicts: templates/sshd_config/Debian_etch.erb
2015-04-17Merge branch 'hostkey_type' into 'master'Antoine Beaupré
Hostkey type This is the pull request associated with: https://labs.riseup.net/code/issues/8285 See merge request !6
2015-04-17remove etch supportMicah Anderson
2015-01-22Add RedHat_xenenterprise template symlinkJerome Charaoui
2014-11-21Add a $hostkey_type variable that allows you to set which hostkeyMicah Anderson
types you want to support in your sshd_config. We use the ssh_version fact to determine the default hostkey types. Only enable rsa and ed25519 for ssh versions greater or equal to 6.5, otherwise enable rsa and dsa. Some distributions, such as debian, also enable ecdsa as a hostkey type, but this is a known bad NIST curve, so we do not enable that by default (thus deviating from the stock sshd config)
2014-11-21Merge remote-tracking branch 'tails/feature/jessie-and-sid-templates'Micah Anderson
2014-11-01Merge remote-tracking branch 'immerda/master'Micah Anderson
2014-11-01Revert "get ecdsa host keys in Debian Wheezy"Micah Anderson
This reverts commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6. These shitty NIST curves are no good
2014-09-17Copy the Debian sid template to a new one for Jessie.intrigeri
Another option could be to symlink it, but the freeze is coming soon, so most likely they'll start to diverge at some point.
2014-09-17Resynchronize Debian sid template with the configuration file currently ↵intrigeri
shipped by the package.
2014-08-24Disable ECDSA key until we fix pubkey distributionSilvio Rhatto
2014-08-19Dot not use DSA keys on squeezeSilvio Rhatto
2014-08-19Dot not use DSA keys on wheezySilvio Rhatto
2014-08-19get ecdsa host keys in Debian Wheezykwadronaut
2014-08-19OopsSilvio Rhatto
2014-08-19Back to hmac-sha1 on lenny/squeezeSilvio Rhatto
2014-08-19Back to OpenSSH HMAC: SHA1 -> SHA2-512 (suggested by duraconf)Silvio Rhatto
2014-08-15move to os release number on centos for selectionmh
2014-06-10Merge remote-tracking branch 'shared/master'mh
Conflicts: manifests/init.pp
2013-11-29unify centos sshd config and update it to latest upstreammh
2013-11-08get ecdsa host keys in Debian Wheezykwadronaut
2013-07-20Back to hmac-sha1 as hmac-sha2-512 prevented squeeze systems to connectSilvio Rhatto
2013-07-16Rollback: hmac-sha2-512 is just supported on newer systemsSilvio Rhatto
2013-07-16OpenSSH HMAC: SHA1 -> SHA2-512 (suggested by duraconf)Silvio Rhatto
2013-01-17Merge branch 'master' of git://labs.riseup.net/shared-sshdSilvio Rhatto
Conflicts: templates/sshd_config/Ubuntu_precise.erb