From f192b91192db2a97a65372821fad8a88fb0a0066 Mon Sep 17 00:00:00 2001 From: ek9 Date: Fri, 24 Feb 2017 20:17:36 +0100 Subject: [PATCH] add more verbose warnings regarding ssh_config in pillar.example --- pillar.example | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index fb09515..39d9934 100644 --- a/pillar.example +++ b/pillar.example @@ -84,6 +84,11 @@ sshd_config: - 'hmac-ripemd160' - 'umac-128@openssh.com' +# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config +# pillar will overwrite the defaults of your distribution's SSH client. This +# will also force the default configuration for all the SSH clients on the +# machine. This can break SSH connections with servers using older versions of +# openssh. Please make sure you understand the implication of different settings ssh_config: StrictHostKeyChecking: no ForwardAgent: no @@ -107,9 +112,12 @@ ssh_config: PermitLocalCommand: 'no' VisualHostKey: 'no' # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. - # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. + # WARNING! Please make sure you understand the implications of the below + # settings. The examples provided below might break your connection to older / + # legacy openssh servers. # The configuration given in the example below is based on: # https://stribika.github.io/2015/01/04/secure-secure-shell.html + # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'