Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

write ciphers,macs and kex as comma-separated string #362

Merged
merged 1 commit into from
Sep 26, 2023
Merged

write ciphers,macs and kex as comma-separated string #362

merged 1 commit into from
Sep 26, 2023

Conversation

ReneTrippen
Copy link

@ReneTrippen ReneTrippen commented Sep 21, 2023
edited
Loading

As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated." Using an array or YAML list for ciphers/mac/kex results in multiple entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first one.

Fixes #361

With this fix, we can write the server_options for ciphers/macs/kexalgorithms as an array or as yaml list in hiera, that increases the readability a lot :)
@bastelfreak @SimonHoenscheid could you please take a look?

Example

class { 'ssh':
  storeconfigs_enabled => false,
  server_options => {
    'Ciphers'       => [ 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc' ],
    'Macs'          => [ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256' ],
    'KexAlgorithms' => [ 'curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group14-sha256', 'diffie-hellman-group16-sha512' ],
  },
}

generated sshd_config

# File is managed by Puppet

AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes

sshd -T

sshd -T | grep -E "(^cipher|^kexal|^mac)"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512

write ciphers,macs and kex as comma-separated string
d2f0658 
As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes saz#361
@ReneTrippen
Copy link
Author

ReneTrippen commented Sep 22, 2023
edited
Loading

looks like the centos 8 container with puppet 8 was running into a timeout while spinning up

@ReneTrippen
Copy link
Author

@saz can we restart the check pipeline?

@bastelfreak
Copy link
Contributor

@ReneTrippen you can close and reopen the PR, that will restart the pipeline.

@saz saz merged commit 82682df into saz:master Sep 26, 2023
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak approved these changes

@SimonHoenscheid SimonHoenscheid SimonHoenscheid approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Multiple entries of ciphers/macs/kexalgorithms when server_option is an array or yaml list
4 participants
@ReneTrippen @bastelfreak @SimonHoenscheid @saz