From 83bb5ac5a07579ed25e7e1ca2b6bcdf570649a34 Mon Sep 17 00:00:00 2001 From: Ingo Bente Date: Tue, 30 Jun 2015 14:33:57 +0200 Subject: [PATCH] adds support to harden sshd_config (KeyExchange, Ciphers, MACs) --- openssh/files/sshd_config | 11 ++++++++++- pillar.example | 4 ++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index f0be13a..1e4b76e 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -139,7 +139,7 @@ # Restricting Users and Hosts # example: -# AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke +# AllowUsers vader@10.0.0.1 maul@sproing.evil.com luke # AllowGroups wheel staff # # Keep in mind that using AllowUsers or AllowGroups means that anyone @@ -156,6 +156,15 @@ # AllowGroups {{ option('AllowGroups', '') }} +# Specifies the available KEX (Key Exchange) algorithms. +{{ option('KexAlgorithms', 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1') }} + +# Specifies the ciphers allowed for protocol version 2. +{{ option('Ciphers', 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se') }} + +# Specifies the available MAC (message authentication code) algorithms. +{{ option('MACs', 'hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96') }} + {# Handling unknown in salt template options #} {%- for keyword in sshd_config.keys() %} {#- Matches have to be at the bottem and should be handled differently -#} diff --git a/pillar.example b/pillar.example index 269eb08..079ae7b 100644 --- a/pillar.example +++ b/pillar.example @@ -45,6 +45,10 @@ sshd_config: X11Forwarding: no AllowTcpForwarding: no ForceCommand: internal-sftp + # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. + KexAlgorithms: 'diffie-hellman-group14-sha1,diffie-hellman-group1-sha1' + Ciphers: 'aes128-ctr,aes256-ctr' + MACs: 'hmac-sha1' openssh: auth: