don't share setting for nginx and ssh

data/hooks/conf_regen/03-ssh

@@ -24,13 +24,13 @@ do_pre_regen() {
     fi
 
     # Support different strategy for security configurations
-    if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then
-        security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')"
+    if [[ -n "$(yunohost settings get 'service.ssh.ciphers.compatibility')" ]]; then
+        ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.ciphers.compatibility')"
     fi
 
     export ssh_keys
     export ipv6_enabled
-    export security_ciphers_compatibility
+    export ssh_ciphers_compatibility
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
 }
 

data/templates/ssh/sshd_config

@@ -15,17 +15,17 @@ HostKey {{ key }}{% endfor %}
 # https://infosec.mozilla.org/guidelines/openssh
 # ##############################################
 
-{%- if security_ciphers_compatibility == "intermediate" -%}
+{% if ssh_ciphers_compatibility == "intermediate" %}
   KexAlgorithms diffie-hellman-group-exchange-sha256
   Ciphers aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512,hmac-sha2-256
-{%- else -%}
+{% else %}
   # By default use "modern" Mozilla configuration
   # Keys, ciphers and MACS
   KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-{%- endif -%}
+{% endif %}
 
 # Use kernel sandbox mechanisms where possible in unprivileged processes
 UsePrivilegeSeparation sandbox

locales/en.json

@@ -202,11 +202,12 @@
     "global_settings_setting_example_enum": "Example enum option",
     "global_settings_setting_example_int": "Example int option",
     "global_settings_setting_example_string": "Example string option",
-    "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy",
+    "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy for the web",
     "global_settings_setting_security_password_admin_strength": "Admin password strength",
     "global_settings_setting_security_password_user_strength": "User password strength",
     "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/unkown_settings.json",
     "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
+    "global_settings_setting_service_ssh_ciphers_compatibility": "Admin ciphers compatibility strategy for SSH",
     "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it's not a type supported by the system.",
     "good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).",
     "good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).",

src/yunohost/settings.py

@@ -39,6 +39,7 @@ DEFAULTS = OrderedDict([
     ("security.password.admin.strength", {"type": "int", "default": 1}),
     ("security.password.user.strength", {"type": "int", "default": 1}),
     ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}),
+    ("service.ssh.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}),
     ("security.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}),
 ])