Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Multiple entries of ciphers/macs/kexalgorithms when server_option is an array or yaml list #361

Closed
ReneTrippen opened this issue Sep 21, 2023 · 0 comments · Fixed by #362
Closed

[BUG] Multiple entries of ciphers/macs/kexalgorithms when server_option is an array or yaml list #361

ReneTrippen opened this issue Sep 21, 2023 · 0 comments · Fixed by #362

Comments

@ReneTrippen
Copy link
Contributor

When the server_option for Ciphers/MACs/KexAlgorithms are defined as array or as yaml list, the generated sshd_config config has
multiple entries for them, this does not work, because sshd picks only the first match.
From the man page of sshd_config(5)

"Multiple ciphers must be comma-separated." The same for MACs and KexAlgorithms.

Example:

As Array

class { 'ssh':
  storeconfigs_enabled => false,
  server_options => {
    'Ciphers'       => [ 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-cbc', '3des-cbc', 'aes192-cbc', 'aes256-cbc' ],
    'Macs'          => [ '[email protected]', '[email protected]', 'hmac-sha2-512', 'hmac-sha2-256' ],
    'KexAlgorithms' => [ 'curve25519-sha256', '[email protected]', 'diffie-hellman-group14-sha256', 'diffie-hellman-group16-sha512' ],
  },
}

As Yaml list in hiera

Ciphers:
   - "aes128-ctr"
   - "aes192-ctr"
   - "aes256-ctr"
   - "aes128-cbc"
   - "3des-cbc"
   - "aes192-cbc"
   - "aes256-cbc"
MACs:
   - "[email protected]"
   - "[email protected]"
   - "hmac-sha2-512"
   - "hmac-sha2-256"
KexAlgorithms:
   - "curve25519-sha256"
   - "[email protected]"
   - "diffie-hellman-group14-sha256"
   - "diffie-hellman-group16-sha512"

generated sshd_config

AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
Ciphers aes128-ctr
Ciphers aes192-ctr
Ciphers aes256-ctr
Ciphers aes128-cbc
Ciphers 3des-cbc
Ciphers aes192-cbc
Ciphers aes256-cbc
KexAlgorithms curve25519-sha256
KexAlgorithms [email protected]
KexAlgorithms diffie-hellman-group14-sha256
KexAlgorithms diffie-hellman-group16-sha512
Macs [email protected]
Macs [email protected]
Macs hmac-sha2-512
Macs hmac-sha2-256
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes

sshd -T

sshd -T | grep -E "(^cipher|^kexal|^mac)"
ciphers aes128-ctr
macs [email protected]
kexalgorithms curve25519-sha256

As String

class { 'ssh':
  storeconfigs_enabled => false,
  server_options => {
    'Ciphers'       => 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc',
    'Macs'          => '[email protected],[email protected],hmac-sha2-512,hmac-sha2-256',
    'KexAlgorithms' => 'curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512',
  },
}

generated sshd_config

AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes

sshd -T

sshd -T | grep -E "(^cipher|^kexal|^mac)"
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
macs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
kexalgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
ReneTrippen pushed a commit to ReneTrippen/puppet-ssh that referenced this issue Sep 21, 2023
write ciphers,macs and kex as comma-separated string
d2f0658 
As the man page of sshd_config(5) describes:
"Multiple ciphers/macs/kexalgorithms must be comma-separated."
Using an array or YAML list for ciphers/mac/kex results in multiple
entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first
one.

Fixes saz#361
@ReneTrippen ReneTrippen mentioned this issue Sep 21, 2023
Merged
@ReneTrippen ReneTrippen changed the title Multiple entries of ciphers/macs/kexalgorithms when server_option is an array or yaml list [BUG] Multiple entries of ciphers/macs/kexalgorithms when server_option is an array or yaml list Sep 21, 2023
@saz saz closed this as completed in #362 Sep 26, 2023
@ReneTrippen ReneTrippen mentioned this issue Dec 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

write ciphers,macs and kex as comma-separated string ReneTrippen/puppet-ssh
1 participant
@ReneTrippen