From a899102efc8a13fcf4c16bf31bb7769f4d820b23 Mon Sep 17 00:00:00 2001 From: Romuald du Song Date: Thu, 14 Feb 2019 22:57:24 +0100 Subject: [PATCH] don't share setting for nginx and ssh --- data/hooks/conf_regen/03-ssh | 6 +++--- data/templates/ssh/sshd_config | 6 +++--- locales/en.json | 3 ++- src/yunohost/settings.py | 1 + 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh index 330166f08..3a79de456 100755 --- a/data/hooks/conf_regen/03-ssh +++ b/data/hooks/conf_regen/03-ssh @@ -24,13 +24,13 @@ do_pre_regen() { fi # Support different strategy for security configurations - if [[ -n "$(yunohost settings get 'security.ciphers.compatibility')" ]]; then - security_ciphers_compatibility="$(yunohost settings get 'security.ciphers.compatibility')" + if [[ -n "$(yunohost settings get 'service.ssh.ciphers.compatibility')" ]]; then + ssh_ciphers_compatibility="$(yunohost settings get 'service.ssh.ciphers.compatibility')" fi export ssh_keys export ipv6_enabled - export security_ciphers_compatibility + export ssh_ciphers_compatibility ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config" } diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config index 7194a309d..f27ca3ebe 100644 --- a/data/templates/ssh/sshd_config +++ b/data/templates/ssh/sshd_config @@ -15,17 +15,17 @@ HostKey {{ key }}{% endfor %} # https://infosec.mozilla.org/guidelines/openssh # ############################################## -{%- if security_ciphers_compatibility == "intermediate" -%} +{% if ssh_ciphers_compatibility == "intermediate" %} KexAlgorithms diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256 -{%- else -%} +{% else %} # By default use "modern" Mozilla configuration # Keys, ciphers and MACS KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -{%- endif -%} +{% endif %} # Use kernel sandbox mechanisms where possible in unprivileged processes UsePrivilegeSeparation sandbox diff --git a/locales/en.json b/locales/en.json index 72a34fb57..3f01cb08e 100644 --- a/locales/en.json +++ b/locales/en.json @@ -202,11 +202,12 @@ "global_settings_setting_example_enum": "Example enum option", "global_settings_setting_example_int": "Example int option", "global_settings_setting_example_string": "Example string option", - "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy", + "global_settings_setting_security_ciphers_compatibility": "Admin ciphers compatibility strategy for the web", "global_settings_setting_security_password_admin_strength": "Admin password strength", "global_settings_setting_security_password_user_strength": "User password strength", "global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key:s}', discarding it and save it in /etc/yunohost/unkown_settings.json", "global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration", + "global_settings_setting_service_ssh_ciphers_compatibility": "Admin ciphers compatibility strategy for SSH", "global_settings_unknown_type": "Unexpected situation, the setting {setting:s} appears to have the type {unknown_type:s} but it's not a type supported by the system.", "good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", "good_practices_about_user_password": "You are now about to define a new user password. The password should be at least 8 characters - though it is good practice to use longer password (i.e. a passphrase) and/or to use various kind of characters (uppercase, lowercase, digits and special characters).", diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py index 9b12647a6..c3d4591b0 100644 --- a/src/yunohost/settings.py +++ b/src/yunohost/settings.py @@ -39,6 +39,7 @@ DEFAULTS = OrderedDict([ ("security.password.admin.strength", {"type": "int", "default": 1}), ("security.password.user.strength", {"type": "int", "default": 1}), ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", "default": False}), + ("service.ssh.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), ("security.ciphers.compatibility", {"type": "enum", "choices": "intermediate", "modern"}), ])