From d6e48f2b435ad35aca89c5d2c4bdcd6b784bae85 Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Tue, 7 Feb 2017 19:45:59 +0100
Subject: [PATCH 1/6] rebase based on latest update

---
 pillar.example | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/pillar.example b/pillar.example
index 923438a..2d19faa 100644
--- a/pillar.example
+++ b/pillar.example
@@ -13,7 +13,7 @@ sshd_config:
     - /etc/ssh/ssh_host_ed25519_key
   UsePrivilegeSeparation: 'yes'
   KeyRegenerationInterval: 3600
-  ServerKeyBits: 768
+  ServerKeyBits: 1024
   SyslogFacility: AUTH
   LogLevel: INFO
   ClientAliveInterval: 0
@@ -35,9 +35,9 @@ sshd_config:
   ChallengeResponseAuthentication: 'no'
   AuthenticationMethods: 'publickey,keyboard-interactive'
   AuthorizedKeysFile: '%h/.ssh/authorized_keys'
-  X11Forwarding: 'yes'
+  X11Forwarding: 'no'
   X11DisplayOffset: 10
-  PrintMotd: 'no'
+  PrintMotd: 'yes'
   PrintLastLog: 'yes'
   TCPKeepAlive: 'yes'
   AcceptEnv: "LANG LC_*"
@@ -58,14 +58,26 @@ sshd_config:
         AllowTcpForwarding: no
         ForceCommand: internal-sftp
   # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first.
-  # For these three keywords, the options may be specified as a list...
+  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
+  # The configuration given in the example below is based on:
+  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
+  #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+  #MACs: 'hmac-sha1'
   KexAlgorithms:
-    - diffie-hellman-group14-sha1
-    - diffie-hellman-group1-sha1
-  # ... or a single string.
-  Ciphers: 'aes128-ctr,aes256-ctr'
-  MACs: 'hmac-sha1'
-  # Similar situation for ssh_config
+    - 'curve25519-sha256@libssh.org'
+    - 'diffie-hellman-group-exchange-sha256'
+    - 'diffie-hellman-group-exchange-sha1'
+    - 'diffie-hellman-group14-sha1'
+  Ciphers:
+    - 'chacha20-poly1305@openssh.com'
+    - 'aes256-gcm@openssh.com'
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha1'
 
 ssh_config:
   StrictHostKeyChecking: no

From ec796662bc6dc609fbb026701b3e8f030ebc86cc Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Sun, 19 Feb 2017 14:44:56 +0100
Subject: [PATCH 2/6] pillar.example: update with secure defaults for
 sshd_config and ssh_config

---
 pillar.example | 44 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/pillar.example b/pillar.example
index 2d19faa..fb09515 100644
--- a/pillar.example
+++ b/pillar.example
@@ -61,14 +61,12 @@ sshd_config:
   # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
   # The configuration given in the example below is based on:
   # https://stribika.github.io/2015/01/04/secure-secure-shell.html
-  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
+  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
-  #MACs: 'hmac-sha1'
+  #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
   KexAlgorithms:
     - 'curve25519-sha256@libssh.org'
     - 'diffie-hellman-group-exchange-sha256'
-    - 'diffie-hellman-group-exchange-sha1'
-    - 'diffie-hellman-group14-sha1'
   Ciphers:
     - 'chacha20-poly1305@openssh.com'
     - 'aes256-gcm@openssh.com'
@@ -77,7 +75,14 @@ sshd_config:
     - 'aes192-ctr'
     - 'aes128-ctr'
   MACs:
-    - 'hmac-sha1'
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
 
 ssh_config:
   StrictHostKeyChecking: no
@@ -101,6 +106,35 @@ ssh_config:
   TunnelDevice: 'any:any'
   PermitLocalCommand: 'no'
   VisualHostKey: 'no'
+  # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
+  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
+  # The configuration given in the example below is based on:
+  # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
+  #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
+  #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
+  KexAlgorithms:
+    - 'curve25519-sha256@libssh.org'
+    - 'diffie-hellman-group-exchange-sha256'
+    - 'diffie-hellman-group-exchange-sha1'
+    - 'diffie-hellman-group14-sha1'
+  Ciphers:
+    - 'chacha20-poly1305@openssh.com'
+    - 'aes256-gcm@openssh.com'
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
+
 
 openssh:
   # Controls if SSHD should be enabled/started

From f5a74f3fa03cca4b4e488dee92b67ca5fe1f02a0 Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Sun, 19 Feb 2017 14:45:12 +0100
Subject: [PATCH 3/6] defaults: enable secure defaults on sshd_config

---
 openssh/defaults.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index 8f21dc9..26c2470 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -10,6 +10,26 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  KexAlgorithms:
+    - 'curve25519-sha256@libssh.org'
+    - 'diffie-hellman-group-exchange-sha256'
+  Ciphers:
+    - 'chacha20-poly1305@openssh.com'
+    - 'aes256-gcm@openssh.com'
+    - 'aes128-gcm@openssh.com'
+    - 'aes256-ctr'
+    - 'aes192-ctr'
+    - 'aes128-ctr'
+  MACs:
+    - 'hmac-sha2-512-etm@openssh.com'
+    - 'hmac-sha2-256-etm@openssh.com'
+    - 'hmac-ripemd160-etm@openssh.com'
+    - 'umac-128-etm@openssh.com'
+    - 'hmac-sha2-512'
+    - 'hmac-sha2-256'
+    - 'hmac-ripemd160'
+    - 'umac-128@openssh.com'
+
 sshd_config: {}
 ssh_config:
   Hosts:

From f192b91192db2a97a65372821fad8a88fb0a0066 Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Fri, 24 Feb 2017 20:17:36 +0100
Subject: [PATCH 4/6] add more verbose warnings regarding ssh_config in
 pillar.example

---
 pillar.example | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pillar.example b/pillar.example
index fb09515..39d9934 100644
--- a/pillar.example
+++ b/pillar.example
@@ -84,6 +84,11 @@ sshd_config:
     - 'hmac-ripemd160'
     - 'umac-128@openssh.com'
 
+# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config
+# pillar will overwrite the defaults of your distribution's SSH client. This
+# will also force the default configuration for all the SSH clients on the
+# machine. This can break SSH connections with servers using older versions of
+# openssh. Please make sure you understand the implication of different settings
 ssh_config:
   StrictHostKeyChecking: no
   ForwardAgent: no
@@ -107,9 +112,12 @@ ssh_config:
   PermitLocalCommand: 'no'
   VisualHostKey: 'no'
   # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first.
-  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
+  # WARNING! Please make sure you understand the implications of the below
+  # settings. The examples provided below might break your connection to older /
+  # legacy openssh servers.
   # The configuration given in the example below is based on:
   # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+  # You can specify KexAlgorithms, Ciphers and MACs as both key or a list.
   #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1'
   #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
   #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'

From c03e29a49831b5606d886bc00eb8bcc721514513 Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Fri, 24 Feb 2017 21:13:35 +0100
Subject: [PATCH 5/6] remove Kex,MACs,Ciphers from defaults

---
 openssh/defaults.yaml | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index 26c2470..52a585b 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -10,31 +10,6 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
-  KexAlgorithms:
-    - 'curve25519-sha256@libssh.org'
-    - 'diffie-hellman-group-exchange-sha256'
-  Ciphers:
-    - 'chacha20-poly1305@openssh.com'
-    - 'aes256-gcm@openssh.com'
-    - 'aes128-gcm@openssh.com'
-    - 'aes256-ctr'
-    - 'aes192-ctr'
-    - 'aes128-ctr'
-  MACs:
-    - 'hmac-sha2-512-etm@openssh.com'
-    - 'hmac-sha2-256-etm@openssh.com'
-    - 'hmac-ripemd160-etm@openssh.com'
-    - 'umac-128-etm@openssh.com'
-    - 'hmac-sha2-512'
-    - 'hmac-sha2-256'
-    - 'hmac-ripemd160'
-    - 'umac-128@openssh.com'
 
 sshd_config: {}
-ssh_config:
-  Hosts:
-    '*':
-      SendEnv: LANG LC_*
-      HashKnownHosts: yes
-      GSSAPIAuthentication: yes
-      GSSAPIDelegateCredentials: no
+ssh_config: {}

From 038a51cdc85fe4507eb943bfb16c189538cc144b Mon Sep 17 00:00:00 2001
From: ek9 <dev@ek9.co>
Date: Fri, 24 Feb 2017 21:13:52 +0100
Subject: [PATCH 6/6] manage sshd_config and ssh_config only if pillars are
 defined

---
 openssh/config.sls | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openssh/config.sls b/openssh/config.sls
index e462888..3070603 100644
--- a/openssh/config.sls
+++ b/openssh/config.sls
@@ -3,6 +3,7 @@
 include:
   - openssh
 
+{% if salt['pillar.get']('sshd_config', False) %}
 sshd_config:
   file.managed:
     - name: {{ openssh.sshd_config }}
@@ -12,7 +13,9 @@ sshd_config:
     - mode: 644
     - watch_in:
       - service: openssh
+{% endif %}
 
+{% if salt['pillar.get']('ssh_config', False) %}
 ssh_config:
   file.managed:
     - name: {{ openssh.ssh_config }}
@@ -20,6 +23,7 @@ ssh_config:
     - template: jinja
     - user: root
     - mode: 644
+{% endif %}
 
 {% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
 {% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %}