puppet-ssh-hardening icon indicating copy to clipboard operation
puppet-ssh-hardening copied to clipboard
verified publisher icon dev-sec

SSH Config warnings with Artful Aardvark

Open syntacticvexation opened this issue 8 years ago • 1 comments

Hi,

I get some warnings doing a git checkout via SSH when using this module under Artful Aardvark. I receive the following: ==> default: /etc/ssh/ssh_config line 22: Unsupported option "rsaauthentication" ==> default: /etc/ssh/ssh_config line 23: Unsupported option "rhostsrsaauthentication"

My understanding is that these options are no longer supported by newer versions of OpenSSH: https://forum.gitlab.com/t/ssh-unsupported-option-rsaauthentication/11198

Thanks.

syntacticvexation avatar Dec 10 '17 02:12 syntacticvexation

Workaround with undef. (ubuntu 20.04 focal fossa)

class { 'ssh_hardening':
client_options  => {
      # Choose acceptable MACs
      'MACs'                      => 'hmac-sha2-512,hmac-sha2-256',
      # RhostsRSAAuthentication & RSAAuthentication are deprecated, so don't set!
      'RhostsRSAAuthentication'   => undef,
      'RSAAuthentication'         => undef,
    },

I also included an augeas step to remove these from ssh_config if something else initially puts them there.

augeas { 'remove_ssh_deprecated options':
    context  => '/files/etc/ssh/ssh_config',
    changes  => [
      "rm RhostsRSAAuthentication",
      "rm RSAAuthentication"
    ],
}

tenwiseman avatar Aug 19 '20 08:08 tenwiseman