While upstream think they are ok and being kept
for compatibility, some organisations disagree and
give poor ratings impacting my employer. Since
that's automated, that's a easy way to scam customers.
Since openssh is critical and even more with ansible, this modification
try to be as conservative as possible and try to avoid any critical
outage by making sure changes are future proofed, without requiring
on-going maintenance.
For example, there is no hardcoding of the list of ciphers, in case
some are removed in the future and still in the list, since openssh
fail to start if a cipher is requested but was removed. This is to prevent
ciphers list rot, which is a problem that could happen if we have to do any
manual maintenance.
The system also clean itself for future proofing as well (if upstream
drop the problematic ciphers, then we do switch to use upstream list without
modification).
And we check we do not do something stupid before even writing
the configuration.
The resulting code is more complex than I like, but mostly because
upstream do not let use give a list of ciphers we want to avoid,
just a list we want to use.
While upstream think they are ok and being kept for compatibility, some organisations disagree and give poor ratings impacting my employer. Since that's automated, that's a easy way to scam customers.
Since openssh is critical and even more with ansible, this modification try to be as conservative as possible and try to avoid any critical outage by making sure changes are future proofed, without requiring on-going maintenance.
For example, there is no hardcoding of the list of ciphers, in case some are removed in the future and still in the list, since openssh fail to start if a cipher is requested but was removed. This is to prevent ciphers list rot, which is a problem that could happen if we have to do any manual maintenance.
The system also clean itself for future proofing as well (if upstream drop the problematic ciphers, then we do switch to use upstream list without modification).
And we check we do not do something stupid before even writing the configuration.
The resulting code is more complex than I like, but mostly because upstream do not let use give a list of ciphers we want to avoid, just a list we want to use.