mirror of
https://github.com/famedly/ansible-collection-base
synced 2024-09-20 14:21:59 +00:00
8bcc12dfd1
..and MACs See https://terrapin-attack.com/
78 lines
2.3 KiB
YAML
78 lines
2.3 KiB
YAML
---
|
|
ssh_secure_presets:
|
|
allowed_kexalgos:
|
|
- sntrup761x25519-sha512@openssh.com
|
|
- sntrup4591761x25519-sha512@tinyssh.org
|
|
- curve25519-sha256
|
|
- curve25519-sha256@libssh.org
|
|
- ecdh-sha2-nistp521
|
|
- ecdh-sha2-nistp384
|
|
- ecdh-sha2-nistp256
|
|
- diffie-hellman-group18-sha512
|
|
- diffie-hellman-group16-sha512
|
|
- diffie-hellman-group-exchange-sha256
|
|
allowed_ciphers:
|
|
# Disabled due to Terrapin vulnerability, re-enable in the future when it's safe
|
|
# - chacha20-poly1305@openssh.com
|
|
- aes256-gcm@openssh.com
|
|
- aes128-gcm@openssh.com
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
allowed_macs:
|
|
# See above
|
|
# - hmac-sha2-512-etm@openssh.com
|
|
# - hmac-sha2-256-etm@openssh.com
|
|
# - umac-128-etm@openssh.com
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
allowed_hostkey_algos:
|
|
- ssh-ed25519
|
|
- sk-ssh-ed25519@openssh.com
|
|
- ecdsa-sha2-nistp521
|
|
- ecdsa-sha2-nistp384
|
|
- ecdsa-sha2-nistp256
|
|
- sk-ecdsa-sha2-nistp256@openssh.com
|
|
- webauthn-sk-ecdsa-sha2-nistp256@openssh.com
|
|
- rsa-sha2-512
|
|
- rsa-sha2-256
|
|
allowed_pubkey_algos:
|
|
- ssh-ed25519
|
|
- sk-ssh-ed25519@openssh.com
|
|
- ecdsa-sha2-nistp521
|
|
- ecdsa-sha2-nistp384
|
|
- ecdsa-sha2-nistp256
|
|
- sk-ecdsa-sha2-nistp256@openssh.com
|
|
- webauthn-sk-ecdsa-sha2-nistp256@openssh.com
|
|
- rsa-sha2-512
|
|
- rsa-sha2-256
|
|
|
|
ssh_bsi_recommended_presets:
|
|
# TR-02102-4, Version 2023-01, Section 3.3
|
|
allowed_kexalgos:
|
|
- ecdh-sha2-nistp521
|
|
- ecdh-sha2-nistp384
|
|
- ecdh-sha2-nistp256
|
|
- diffie-hellman-group16-sha512
|
|
- diffie-hellman-group-exchange-sha256
|
|
# TR-02102-4, Version 2023-01, Section 3.4
|
|
allowed_ciphers:
|
|
- aes256-gcm@openssh.com
|
|
- aes128-gcm@openssh.com
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
# TR-02102-4, Version 2023-01, Section 3.5
|
|
allowed_macs:
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
# TR-02102-4, Version 2023-01, Section 3.6
|
|
allowed_hostkey_algos:
|
|
- ecdsa-sha2-nistp521
|
|
- ecdsa-sha2-nistp384
|
|
- ecdsa-sha2-nistp256
|
|
# TR-02102-4, Version 2023-01, Section 3.7 explicitly doesn't specify a list
|
|
# of recommended algorithms here, but points to TR-03116-4, which isn't
|
|
# applicable unless it's a gov project. We're threrefore falling back to our
|
|
# secure preset from above.
|
|
allowed_pubkey_algos: "{{ ssh_secure_presets.allowed_pubkey_algos }}"
|