Puppet Class: ssh::server::params

Inherited by:
ssh::server::conf
Defined in:
manifests/server/params.pp

Summary

Default parameters for the SSH Server

Overview

  • “Curve“ exchange was not fully supported until openssh 6.5

  • RhostsRSAAuthentication was removed in openssh 7.4

Author:



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'manifests/server/params.pp', line 8

class ssh::server::params {

  ## Public Variables ##
  $acceptenv = [
    'LANG',
    'LC_CTYPE',
    'LC_NUMERIC',
    'LC_TIME',
    'LC_COLLATE',
    'LC_MONETARY',
    'LC_MESSAGES',
    'LC_PAPER',
    'LC_NAME',
    'LC_ADDRESS',
    'LC_TELEPHONE',
    'LC_MEASUREMENT',
    'LC_IDENTIFICATION',
    'LC_ALL'
  ]

  # These should work with *everything*
  $fallback_ciphers = [
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr'
  ]

  $ciphers = [
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr'
  ]

  $fips_kex_algorithms = [
    'ecdh-sha2-nistp521',
    'ecdh-sha2-nistp384',
    'ecdh-sha2-nistp256',
    'diffie-hellman-group-exchange-sha256'
  ]

  $fips_macs = [
    'hmac-sha2-256',
    'hmac-sha1'
  ]
  $fips_ciphers = [
    'aes256-ctr',
    'aes192-ctr',
    'aes128-ctr'
  ]

  # FIPS mode not enabled, stay within the bounds but expand the options

  $base_kex_algorithms = [
      'ecdh-sha2-nistp521',
      'ecdh-sha2-nistp384',
      'ecdh-sha2-nistp256',
      'diffie-hellman-group-exchange-sha256'
  ]
  if versioncmp($facts['openssh_version'], '6.5') >= 0 {
    $additional_kex_algorithms = ['curve25519-sha256@libssh.org']
  }
  else {
    $additional_kex_algorithms = []
  }
  $kex_algorithms = concat($additional_kex_algorithms, $base_kex_algorithms)

  $macs = [
    'hmac-sha2-512-etm@openssh.com',
    'hmac-sha2-256-etm@openssh.com',
    'hmac-sha2-512',
    'hmac-sha2-256'
  ]

  # This setting is only present in old openssh versions
  if versioncmp($facts['openssh_version'], '7.4') >= 0 {
    $rhostsrsaauthentication = undef
  }
  else {
    $rhostsrsaauthentication = false
  }

  # If the host is configured to use IPA, enable this setting
  if $facts['ipa'] {
    $gssapiauthentication = true
  }
  else {
    $gssapiauthentication = false
  }
}