Unable to use cbc_required in client config #63
Description
I have some switches that I need to ssh into from a single server. Even with the latest firmware they dont support secure ssh cyphers so I wanted to allow weak cyphers/kex.
To do this I added -
class { 'ssh_hardening':
client_options => {
'cbc_required' => 'true',
'weak_hmac' => 'true',
'weak_kex' => 'true',
},
}
This did not put the weak cyphers in so I tried Hiera -
ssh_hardening::client::weak_kex: 'true'
ssh_hardening::client::weak_hmac: 'true'
ssh_hardening::client::cbc_required: 'true'
This also did not work so I tried forcing it from init.pp -
class { 'ssh_hardening::client':
ipv6_enabled => $ipv6_enabled,
ports => $ports,
#cbc_required => $cbc_required,
#weak_hmac => $weak_hmac,
#weak_kex => $weak_kex,
cbc_required => true,
weak_hmac => true,
weak_kex => true,
options => $client_options,
}
Which also didn't work and I am not good enough at debugging puppet, so I ended up editing get_ssh_kex.rb, get_ssh_macs.rb and get_ssh_ciphers.rb to force the cyphers.
ie. ciphers_53.default = 'aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc'
However, this is not optimal as now all my servers can ssh to insecure locations.