Allow weaker MAC and KEX for Fabric

python · Jan 20, 2015 · 4132ae3 · 4132ae3
1 parent 55bdca3
commit 4132ae3
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/salt/ssh/configs/sshd_config.jinja b/salt/ssh/configs/sshd_config.jinja
@@ -47,11 +47,15 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.
 
 # Restrict ourselves to only secure MACs
 # Note: We might need to add the SHA1 versions of these MACs for older clients
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+# Note: Once https://github.com/paramiko/paramiko/pull/356 is released try to
+#       remove hmac-sha1.
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
 
 # Restrict ourselves to only secure KEXs
 # Note: We might need to add the DH-SHA1 versions of these MACs for older clients
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+# Note: Once https://github.com/paramiko/paramiko/pull/356 is released try to
+#       remove diffie-hellman-group14-sha1.
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
 
 
 # Authentication