mscherer
commented
5 years ago Merging, after review by myself, duck and pilou (and extensive test).
Closed mscherer closed 5 years ago
mscherer
commented
5 years ago Merging, after review by myself, duck and pilou (and extensive test).
While upstream think they are ok and being kept for compatibility, some organisations disagree and give poor ratings impacting my employer. Since that's automated, that's a easy way to scam customers.
Since openssh is critical and even more with ansible, this modification try to be as conservative as possible and try to avoid any critical outage by making sure changes are future proofed, without requiring on-going maintenance.
For example, there is no hardcoding of the list of ciphers, in case some are removed in the future and still in the list, since openssh fail to start if a cipher is requested but was removed. This is to prevent ciphers list rot, which is a problem that could happen if we have to do any manual maintenance.
The system also clean itself for future proofing as well (if upstream drop the problematic ciphers, then we do switch to use upstream list without modification).
And we check we do not do something stupid before even writing the configuration.
The resulting code is more complex than I like, but mostly because upstream do not let use give a list of ciphers we want to avoid, just a list we want to use.