5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# File 'manifests/client/params.pp', line 5
class ssh::client::params {
# These are all that are supported on RHEL6
$_fallback_macs = [ 'hmac-sha1' ]
$_fallback_ciphers = [
'aes256-ctr',
'aes192-ctr',
'aes128-ctr'
]
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'],'7') >= 0 {
$fips_macs = [
'hmac-sha2-256',
'hmac-sha1'
]
$fips_ciphers = [
'aes256-ctr',
'aes192-ctr',
'aes128-ctr'
]
}
else {
# Don't know what OS this is so fall back to whatever should work with
# FIPS 140-2 in all cases.
$fips_macs = $_fallback_macs
$fips_ciphers = $_fallback_ciphers
}
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'],'7') >= 0 {
# FIPS mode not enabled, stay within the bounds but expand the options
$macs = [
'hmac-sha2-512-etm@openssh.com',
'hmac-sha2-256-etm@openssh.com',
'hmac-sha2-512',
'hmac-sha2-256'
]
$ciphers = [
'aes256-gcm@openssh.com',
'aes128-gcm@openssh.com',
'aes256-ctr',
'aes192-ctr',
'aes128-ctr'
]
}
else {
# Don't know what OS this is so fall back to whatever should work with
# FIPS 140-2 in all cases.
$macs = $_fallback_macs
$ciphers = $_fallback_ciphers
}
# If the host is configured to use IPA, enable this setting
if $facts['ipa'] {
$gssapiauthentication = true
}
else {
$gssapiauthentication = false
}
}
|