Merge branch 'master' into file-mode

openssh/config.sls

@@ -3,6 +3,7 @@
 include:
   - openssh
 
+{% if salt['pillar.get']('sshd_config', False) %}
 sshd_config:
   file.managed:
     - name: {{ openssh.sshd_config }}
@@ -13,7 +14,9 @@ sshd_config:
     - mode: {{ openssh.sshd_config_mode }}
     - watch_in:
       - service: openssh
+{% endif %}
 
+{% if salt['pillar.get']('ssh_config', False) %}
 ssh_config:
   file.managed:
     - name: {{ openssh.ssh_config }}
@@ -22,6 +25,7 @@ ssh_config:
     - user: {{ openssh.ssh_config_user }}
     - group: {{ openssh.ssh_config_group }}
     - mode: {{ openssh.ssh_config_mode }}
+{% endif %}
 
 {% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
 {% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}

openssh/defaults.yaml

@@ -16,11 +16,6 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+
 sshd_config: {}
-ssh_config:
+ssh_config: {}
-  Hosts:
-    '*':
-      SendEnv: LANG LC_*
-      HashKnownHosts: yes
-      GSSAPIAuthentication: yes
-      GSSAPIDelegateCredentials: no

pillar.example

@@ -13,7 +13,7 @@ sshd_config:
     - /etc/ssh/ssh_host_ed25519_key
   UsePrivilegeSeparation: 'yes'
   KeyRegenerationInterval: 3600
-  ServerKeyBits: 768
+  ServerKeyBits: 1024
   SyslogFacility: AUTH
   LogLevel: INFO
   ClientAliveInterval: 0
@@ -35,9 +35,9 @@ sshd_config:
   ChallengeResponseAuthentication: 'no'
   AuthenticationMethods: 'publickey,keyboard-interactive'
   AuthorizedKeysFile: '%h/.ssh/authorized_keys'
-  X11Forwarding: 'yes'
+  X11Forwarding: 'no'
   X11DisplayOffset: 10
-  PrintMotd: 'no'
+  PrintMotd: 'yes'
   PrintLastLog: 'yes'
   TCPKeepAlive: 'yes'
   AcceptEnv: "LANG LC_*"
@@ -58,15 +58,37 @@ sshd_config:
         AllowTcpForwarding: no
         ForceCommand: internal-sftp
   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
-  # For these three keywords, the options may be specified as a list...
+  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
+  # The configuration given in the example below is based on:
+  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
+  #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+  #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
   KexAlgorithms:
-    - diffie-hellman-group14-sha1
+    - 'curve25519-sha256@libssh.org'
-    - diffie-hellman-group1-sha1
+    - 'diffie-hellman-group-exchange-sha256'
-  # ... or a single string.
+  Ciphers:
-  Ciphers: 'aes128-ctr,aes256-ctr'
+    - 'chacha20-poly1305@openssh.com'
-  MACs: 'hmac-sha1'
+    - 'aes256-gcm@openssh.com'
-  # Similar situation for ssh_config
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
 
+# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
+# pillar will overwrite the defaults of your distribution's SSH client. This
+# will also force the default configuration for all the SSH clients on the
+# machine. This can break SSH connections with servers using older versions of
+# openssh. Please make sure you understand the implication of different settings
 ssh_config:
   StrictHostKeyChecking: no
   ForwardAgent: no
@@ -89,6 +111,38 @@ ssh_config:
   TunnelDevice: 'any:any'
   PermitLocalCommand: 'no'
   VisualHostKey: 'no'
+  # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
+  # WARNING! Please make sure you understand the implications of the below
+  # settings. The examples provided below might break your connection to older /
+  # legacy openssh servers.
+  # The configuration given in the example below is based on:
+  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
+  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
+  #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+  #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
+  KexAlgorithms:
+    - 'curve25519-sha256@libssh.org'
+    - 'diffie-hellman-group-exchange-sha256'
+    - 'diffie-hellman-group-exchange-sha1'
+    - 'diffie-hellman-group14-sha1'
+  Ciphers:
+    - 'chacha20-poly1305@openssh.com'
+    - 'aes256-gcm@openssh.com'
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
+
 
 openssh:
   # Controls if SSHD should be enabled/started