diff options
| author | Christian Poessinger <christian@poessinger.com> | 2017-12-31 16:22:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-12-31 16:22:02 +0100 |
| commit | 0ed8665760ac9cda8e910818f2d1234bd4b7477e (patch) | |
| tree | ffadeb31fa19b920c9aa01a5629f9b954f4a13d4 | |
| parent | c5e11462769bea9769335944f0f8a8f5411d027e (diff) | |
| parent | 6f63930251beed98bb6d20567631db235dab1d16 (diff) | |
| download | vyatta-cfg-system-0ed8665760ac9cda8e910818f2d1234bd4b7477e.tar.gz vyatta-cfg-system-0ed8665760ac9cda8e910818f2d1234bd4b7477e.zip | |
Merge pull request #67 from c-po/t507-sshd
T507 sshd
| -rw-r--r-- | templates/service/ssh/ciphers/node.def | 17 | ||||
| -rw-r--r-- | templates/service/ssh/key-exchange/node.def | 11 | ||||
| -rw-r--r-- | templates/service/ssh/loglevel/node.def | 19 | ||||
| -rw-r--r-- | templates/service/ssh/macs/node.def | 7 |
4 files changed, 45 insertions, 9 deletions
diff --git a/templates/service/ssh/ciphers/node.def b/templates/service/ssh/ciphers/node.def index 7eab846e..b5e5af68 100644 --- a/templates/service/ssh/ciphers/node.def +++ b/templates/service/ssh/ciphers/node.def @@ -1,21 +1,26 @@ type: txt help: Allowed ciphers val_help: txt; Cipher string -val_help: 3des-cbc; 3DES CBC +val_help: aes128-gcm@openssh.com; AES 128 GCM +val_help: aes256-gcm@openssh.com; AES 256 GCM +val_help: chacha20-poly1305@openssh.com; ChaCha20 Poly1305 +val_help: 3des-cbc; 3DES CBC (weak) val_help: aes128-cbc; AES 128 CBC val_help: aes192-cbc; AES 192 CBC val_help: aes256-cbc; AES 256 CBC val_help: aes128-ctr; AES 128 CTR val_help: aes192-ctr; AES 192 CTR val_help: aes256-ctr; AES 256 CTR -val_help: arcfour128; AC4 128 -val_help: arcfour256; AC4 256 -val_help: arcfour; AC4 +val_help: arcfour128; AC4 128 (broken) +val_help: arcfour256; AC4 256 (broken) +val_help: arcfour; AC4 (broken) val_help: blowfish-cbc; Blowfish CBC val_help: cast128-cbc; CAST 128 CBC comp_help: Multiple ciphers can be specified as a comma-separated list. -syntax:expression: pattern $VAR(@) "^((3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ +syntax:expression: pattern $VAR(@) "^((aes128-gcm@openssh.com|\ +aes256-gcm@openssh.com|chacha20-poly1305@openssh.com|\ +3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ aes256-ctr|arcfour128|arcfour256|arcfour|\ blowfish-cbc|cast128-cbc)(,|$))+$"; \ "$VAR(@) is not a valid cipher list" @@ -25,5 +30,5 @@ Ciphers $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^Ciphers $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^Ciphers/c \ +update: sudo sed -i -e '/^Ciphers.*$/c \ Ciphers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/key-exchange/node.def b/templates/service/ssh/key-exchange/node.def new file mode 100644 index 00000000..a3c91b0b --- /dev/null +++ b/templates/service/ssh/key-exchange/node.def @@ -0,0 +1,11 @@ +type: txt +help: Allowed key exchange algorithms +comp_help: Specifies the available KEX (key exchange) algorithms. The KEX algorithm is used in protocol version 2 for key negotiation upon session creation. Multiple algorithms must be comma-separated. See 'ssh -Q kex' for supported KEX algorithms. + +create: sudo sed -i -e '$ a \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^KexAlgorithms $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^KexAlgorithms.*$/c \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/loglevel/node.def b/templates/service/ssh/loglevel/node.def new file mode 100644 index 00000000..f66ec068 --- /dev/null +++ b/templates/service/ssh/loglevel/node.def @@ -0,0 +1,19 @@ +type: txt +help: Log Level +val_help: QUIET; stay silent +val_help: FATAL; log fatals only +val_help: ERROR; log errors and fatals only +val_help: INFO; default log level +val_help: VERBOSE; enable logging of failed login attempts +comp_help: Gives the verbosity level that is used when logging messages from sshd(8). The default is INFO. + +syntax:expression: pattern $VAR(@) "^((QUIET|FATAL|ERROR|INFO|VERBOSE)(,|$))+$"; \ +"$VAR(@) is not a valid log level" + +create: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^LogLevel $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/macs/node.def b/templates/service/ssh/macs/node.def index ee6c60e1..f9bf4176 100644 --- a/templates/service/ssh/macs/node.def +++ b/templates/service/ssh/macs/node.def @@ -1,10 +1,11 @@ type: txt -help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'man sshd_config' for supported MACs. +help: Allowed message authentication algorithms +comp_help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'ssh -Q mac' for supported MACs. create: sudo sed -i -e '$ a \ MACs $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^MACs $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^MACs/c \ -MACs $VAR(@)' /etc/ssh/sshd_config
\ No newline at end of file +update: sudo sed -i -e '/^MACs.*$/c \ +MACs $VAR(@)' /etc/ssh/sshd_config |