From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sun, 6 Mar 2011 09:10:44 +0100
Subject: New opt-in support to only use strong SSL ciphers and MACs.

The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.
---
 templates/sshd_config/CentOS.erb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'templates/sshd_config/CentOS.erb')

diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 544effe..859759a 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end -%>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>
-- 
cgit v1.2.3