Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity

Use sntrup761x25519-sha512@openssh.com beginning with 8.5

Browse source
This commit is contained in:
Sven Velt 2022-09-30 20:36:39 +02:00
parent 8c96e48deb
commit 9751d3f8e9
5 changed files with 43 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -54,11 +54,13 @@ SSH versions
- 8.1: Suse 15.2
- 8.2: Ubuntu 20.04 "focal"
- 8.3:
- 8.4: Debian 11 "bullseye", Fedora 33, Suse 15.3
- 8.5:
- 8.6: Fedora 34
- 8.4: Alpine 3.13, Debian 11 "bullseye", Fedora 33, OpenSUSE 15.3/15.4
- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
- 8.6: Alpine 3.14, Fedora 34
- 8.7: Fedora 35
- 8.8: Archlinux, Voidlinux
- 8.8: Alpine 3.15, Fedora 36
- 8.9: Ubuntu 22.04 "jammy"
- 9.0: Archlinux, Voidlinux, Alpine 3.16, Ubuntu 22.10 "kinetic"
License
-------

31
vars/ssh_8.2.yml Normal file
View file

@ -0,0 +1,31 @@
# 8.2: Ubuntu 20.04
# 8.4: Debian 11 & Suse 15.3
ssh_hardening_opts:
KexAlgorithms:
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group-exchange-sha256
Ciphers:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
MACs:
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- umac-128-etm@openssh.com
HostKeyAlgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- sk-ssh-ed25519@openssh.com
- sk-ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-512
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-256-cert-v01@openssh.com

1
vars/ssh_8.3.yml Symbolic link
View file

@ -0,0 +1 @@
ssh_8.2.yml

1
vars/ssh_8.4.yml Symbolic link
View file

@ -0,0 +1 @@
ssh_8.2.yml

7
vars/ssh_default.yml
View file

@ -2,10 +2,11 @@
# 8.4: Debian 11 & Suse 15.3
# 8.6: Fedora 34 (no diff in *hardened policy* to 8.4)
# 8.7: Fedora 35 (no diff in *hardened policy* to 8.4)
# 8.8: Arch/Void
# 8.9: Ubuntu 22.04
ssh_hardening_opts:
KexAlgorithms:
- sntrup761x25519-sha512@openssh.com
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group16-sha512
@ -27,8 +28,8 @@ ssh_hardening_opts:
- ssh-ed25519-cert-v01@openssh.com
- sk-ssh-ed25519@openssh.com
- sk-ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-256-cert-v01@openssh.com