From 34863e959fcd05dd325a658561f14580d49b6764 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 6 Mar 2011 09:10:44 +0100 Subject: New opt-in support to only use strong SSL ciphers and MACs. The new configuration variable is $sshd_hardened_ssl. Settings were stolen from https://github.com/ioerror/duraconf.git. --- templates/sshd_config/OpenBSD.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'templates/sshd_config/OpenBSD.erb') diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index 51662d3..7a20cd9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %> # AllowTcpForwarding no # ForceCommand cvs server +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> +Ciphers aes256-ctr +MACs hmac-sha1 +<%- end -%> + <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> <%- end %> -- cgit v1.2.3