diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index b67b55944..8c19ecb76 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -56,3 +56,17 @@ fail: msg: "Inspec failed to validate" when: test_results.rc != 0 + + # test if variable can be overridden + - name: workaround for https://github.com/ansible/ansible/issues/66304 + set_fact: + ansible_virtualization_type: "docker" + os_env_umask: "027 #override" + + - include_role: + name: os_hardening + + - name: verify os_env_umask + shell: + cmd: "grep '027 #override' /etc/login.defs" + changed_when: false diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml index 27576b245..f78cbf4a9 100644 --- a/molecule/ssh_hardening/molecule.yml +++ b/molecule/ssh_hardening/molecule.yml @@ -63,4 +63,3 @@ scenario: - idempotence - verify - destroy - diff --git a/roles/mysql_hardening/tasks/main.yml b/roles/mysql_hardening/tasks/main.yml index 99587de4c..deee84ca6 100644 --- a/roles/mysql_hardening/tasks/main.yml +++ b/roles/mysql_hardening/tasks/main.yml @@ -1,13 +1,26 @@ --- -- name: set OS dependent variables - include_vars: '{{ item }}' +- name: Fetch OS dependent variables + include_vars: + file: '{{ item }}' + name: 'os_vars' with_first_found: - - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.distribution }}.yml' - - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.os_family }}.yml' + - files: + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' + skip: true tags: always +# we only override variables with our default if they have not been specified already. +# by default the lookup functions finds all varnames containing the string, therefore +# we add ^ and $ to denote start and end of string, so this returns only exact maches. +- name: Set OS dependent variables, if not already defined by user + set_fact: + '{{ item.key }}': '{{ item.value }}' + when: "not lookup('varnames', '^' + item.key + '$')" + with_dict: '{{ os_vars }}' + - include: configure.yml when: mysql_hardening_enabled | bool tags: diff --git a/roles/mysql_hardening/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml index 6361d4781..f63e0af50 100644 --- a/roles/mysql_hardening/tasks/mysql_secure_installation.yml +++ b/roles/mysql_hardening/tasks/mysql_secure_installation.yml @@ -43,4 +43,4 @@ query: - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') login_unix_socket: "{{ login_unix_socket | default(omit) }}" - when: mysql_remove_remote_root \ No newline at end of file + when: mysql_remove_remote_root diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 6cb3a3613..28617b57d 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -271,9 +271,6 @@ os_filesystem_whitelist: [] # the Ansible role dependency mechanism. os_hardening_enabled: true -# Set the umask you want to apply, or leave empty to use the defaults. -os_env_umask: '' - # Set to false to disable installing and configuring auditd. os_auditd_enabled: true os_auditd_max_log_file_action: keep_logs diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml index 281b587ab..3fb495add 100644 --- a/roles/os_hardening/tasks/hardening.yml +++ b/roles/os_hardening/tasks/hardening.yml @@ -1,18 +1,26 @@ --- -- name: Set OS family dependent variables - include_vars: '{{ ansible_facts.os_family }}.yml' - tags: always - -- name: Set OS dependent variables - include_vars: '{{ item }}' +- name: Fetch OS dependent variables + include_vars: + file: '{{ item }}' + name: 'os_vars' with_first_found: - files: - - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - '{{ ansible_facts.distribution }}.yml' - - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' skip: true tags: always +# we only override variables with our default, if they have not been specified already +# by default the lookup functions finds all varnames containing the string, therefore +# we add ^ and $ to denote start and end of string, so this returns only exact maches +- name: Set OS dependent variables, if not already defined by user + set_fact: + '{{ item.key }}': '{{ item.value }}' + when: "not lookup('varnames', '^' + item.key + '$')" + with_dict: '{{ os_vars }}' + - import_tasks: auditd.yml tags: auditd when: os_auditd_enabled | bool diff --git a/roles/os_hardening/templates/etc/login.defs.j2 b/roles/os_hardening/templates/etc/login.defs.j2 index a6d5e2163..cc4c275e1 100644 --- a/roles/os_hardening/templates/etc/login.defs.j2 +++ b/roles/os_hardening/templates/etc/login.defs.j2 @@ -92,7 +92,7 @@ KILLCHAR 025 # Prefix these values with `0` to get octal, `0x` to get hexadecimal. # `022` is the "historical" value in Debian for UMASK # `027`, or even `077`, could be considered better for privacy. -UMASK {{ os_env_umask | default(os_env_umask_default, true) }} +UMASK {{ os_env_umask }} # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name. # If set to yes, userdel will remove the userĀ“s group if it contains no more members, and useradd will create by default a group with the name of the user. diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index f7900a34d..8629cc0bc 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -1,4 +1,39 @@ --- + +os_packages_pam_ccreds: 'pam_ccreds' +os_packages_pam_passwdqc: 'pam_passwdqc' +os_packages_pam_cracklib: 'pam_cracklib' +os_nologin_shell_path: '/sbin/nologin' + +# Different distros use different standards for /etc/shadow perms, e.g. +# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. +# You must provide key/value pairs for owner, group, and mode if overriding. +os_shadow_perms: + owner: root + group: root + mode: '0000' + +os_passwd_perms: + owner: root + group: root + mode: '0644' + +os_env_umask: '077' + +os_auth_uid_min: 1000 +os_auth_gid_min: 1000 +os_auth_sys_uid_min: 201 +os_auth_sys_uid_max: 999 +os_auth_sys_gid_min: 201 +os_auth_sys_gid_max: 999 + +# defaults for useradd +os_useradd_mail_dir: /var/spool/mail +os_useradd_create_home: true + +modprobe_package: 'module-init-tools' +auditd_package: 'audit' + # system accounts that do not get their login disabled and pasword changed os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] diff --git a/roles/os_hardening/vars/Archlinux.yml b/roles/os_hardening/vars/Archlinux.yml index 1bf8c2a7d..99f05d1b2 100644 --- a/roles/os_hardening/vars/Archlinux.yml +++ b/roles/os_hardening/vars/Archlinux.yml @@ -12,7 +12,7 @@ os_passwd_perms: group: root mode: '0644' -os_env_umask_default: '027' +os_env_umask: '027' os_auth_uid_min: 1000 os_auth_gid_min: 1000 diff --git a/roles/os_hardening/vars/Debian.yml b/roles/os_hardening/vars/Debian.yml index cc3d5a9ac..7d4e2a06f 100644 --- a/roles/os_hardening/vars/Debian.yml +++ b/roles/os_hardening/vars/Debian.yml @@ -18,7 +18,7 @@ os_passwd_perms: group: root mode: '0644' -os_env_umask_default: '027' +os_env_umask: '027' os_auth_uid_min: 1000 os_auth_gid_min: 1000 diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index de446ae73..c8cd1d09d 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -18,7 +18,7 @@ os_passwd_perms: group: root mode: '0644' -os_env_umask_default: '027' +os_env_umask: '027' os_auth_uid_min: 1000 os_auth_gid_min: 1000 @@ -27,5 +27,9 @@ os_auth_sys_uid_max: 999 os_auth_sys_gid_min: 201 os_auth_sys_gid_max: 999 +# defaults for useradd +os_useradd_mail_dir: /var/spool/mail +os_useradd_create_home: true + modprobe_package: 'module-init-tools' auditd_package: 'audit' diff --git a/roles/os_hardening/vars/Oracle Linux.yml b/roles/os_hardening/vars/Oracle Linux.yml deleted file mode 100644 index 2678b1389..000000000 --- a/roles/os_hardening/vars/Oracle Linux.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -os_packages_pam_ccreds: 'pam_ccreds' -os_packages_pam_passwdqc: 'pam_passwdqc' -os_packages_pam_cracklib: 'pam_cracklib' -os_nologin_shell_path: '/sbin/nologin' - -# Different distros use different standards for /etc/shadow perms, e.g. -# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. -# You must provide key/value pairs for owner, group, and mode if overriding. -os_shadow_perms: - owner: root - group: root - mode: '0000' - -os_passwd_perms: - owner: root - group: root - mode: '0644' - -os_env_umask_default: '077' - -os_auth_uid_min: 1000 -os_auth_gid_min: 1000 -os_auth_sys_uid_min: 201 -os_auth_sys_uid_max: 999 -os_auth_sys_gid_min: 201 -os_auth_sys_gid_max: 999 diff --git a/roles/os_hardening/vars/RedHat-6.yml b/roles/os_hardening/vars/RedHat-6.yml deleted file mode 100644 index eec7efdd2..000000000 --- a/roles/os_hardening/vars/RedHat-6.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -sysctl_rhel_config: - # ExecShield protection against buffer overflows - kernel.exec-shield: 1 - # Syncookies is used to prevent SYN-flooding attacks. - net.ipv4.tcp_syncookies: 1 diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index 2a48c1b2b..dc20124d5 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -18,7 +18,7 @@ os_passwd_perms: group: root mode: '0644' -os_env_umask_default: '077' +os_env_umask: '077' os_auth_uid_min: 1000 os_auth_gid_min: 1000 diff --git a/roles/os_hardening/vars/Suse.yml b/roles/os_hardening/vars/Suse.yml index 8f46c9827..152af1fe2 100644 --- a/roles/os_hardening/vars/Suse.yml +++ b/roles/os_hardening/vars/Suse.yml @@ -18,7 +18,7 @@ os_passwd_perms: group: root mode: '0644' -os_env_umask_default: '027' +os_env_umask: '027' os_auth_uid_min: 1000 os_auth_gid_min: 1000 diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml index 23e6e704f..346984e4f 100644 --- a/roles/ssh_hardening/defaults/main.yml +++ b/roles/ssh_hardening/defaults/main.yml @@ -75,9 +75,6 @@ ssh_allow_agent_forwarding: false # sshd # false to disable X11 Forwarding. Set to true to allow X11 Forwarding. ssh_x11_forwarding: false # sshd -# true if SSH has PAM support -ssh_pam_support: true - # false to disable pam authentication. ssh_use_pam: true # sshd @@ -87,9 +84,6 @@ sshd_authenticationmethods: 'publickey' # true if SSH support GSSAPI ssh_gssapi_support: false -# true if SSH support Kerberos -ssh_kerberos_support: true - # if specified, login is disallowed for user names that match one of the patterns. ssh_deny_users: '' # sshd @@ -188,62 +182,9 @@ ssh_macs: [] ssh_ciphers: [] ssh_kex: [] -ssh_macs_53_default: - - hmac-ripemd160 - - hmac-sha1 - -ssh_macs_53_el_6_5_default: - - hmac-sha2-512 - - hmac-sha2-256 - -ssh_macs_59_default: - - hmac-sha2-512 - - hmac-sha2-256 - - hmac-ripemd160 - -ssh_macs_66_default: - - hmac-sha2-512-etm@openssh.com - - hmac-sha2-256-etm@openssh.com - - umac-128-etm@openssh.com - - hmac-sha2-512 - - hmac-sha2-256 - -ssh_macs_76_default: - - hmac-sha2-512-etm@openssh.com - - hmac-sha2-256-etm@openssh.com - - umac-128-etm@openssh.com - - hmac-sha2-512 - - hmac-sha2-256 - -ssh_ciphers_53_default: - - aes256-ctr - - aes192-ctr - - aes128-ctr - -ssh_ciphers_66_default: - - chacha20-poly1305@openssh.com - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr - -ssh_kex_59_default: - - diffie-hellman-group-exchange-sha256 - -ssh_kex_66_default: - - curve25519-sha256@libssh.org - - diffie-hellman-group-exchange-sha256 - -ssh_kex_80_default: - - sntrup4591761x25519-sha512@tinyssh.org - - curve25519-sha256@libssh.org - - diffie-hellman-group-exchange-sha256 - # directory where to store ssh_password policy ssh_custom_selinux_dir: '/etc/selinux/local-policies' -sshd_moduli_file: '/etc/ssh/moduli' sshd_moduli_minimum: 2048 # disable ChallengeResponseAuthentication @@ -267,7 +208,3 @@ sshd_syslog_facility: 'AUTH' sshd_log_level: 'VERBOSE' sshd_strict_modes: true - -# disable CRYPTO_POLICY to take settings from sshd configuration -# see: https://access.redhat.com/solutions/4410591 -sshd_disable_crypto_policy: true diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml index 6fd40dcb9..2bfe160d5 100644 --- a/roles/ssh_hardening/tasks/hardening.yml +++ b/roles/ssh_hardening/tasks/hardening.yml @@ -1,11 +1,25 @@ --- -- name: set OS dependent variables - include_vars: '{{ item }}' +- name: Fetch OS dependent variables + include_vars: + file: '{{ item }}' + name: 'os_vars' with_first_found: - - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.distribution }}.yml' - - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.os_family }}.yml' + - files: + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' + skip: true + tags: always + +# we only override variables with our default, if they have not been specified already +# by default the lookup functions finds all varnames containing the string, therefore +# we add ^ and $ to denote start and end of string, so this returns only exact maches +- name: Set OS dependent variables, if not already defined by user + set_fact: + '{{ item.key }}': '{{ item.value }}' + when: "not lookup('varnames', '^' + item.key + '$')" + with_dict: '{{ os_vars }}' - name: get openssh-version command: ssh -V diff --git a/roles/ssh_hardening/vars/Archlinux.yml b/roles/ssh_hardening/vars/Archlinux.yml index 6f6f99f75..3feb288ec 100644 --- a/roles/ssh_hardening/vars/Archlinux.yml +++ b/roles/ssh_hardening/vars/Archlinux.yml @@ -5,6 +5,14 @@ sshd_service_name: sshd ssh_owner: root ssh_group: root +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + # CRYPTO_POLICY is not supported on Archlinux # and the package check only works in Ansible >2.10 sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/Debian.yml b/roles/ssh_hardening/vars/Debian.yml index 062c2049e..1aae36c3a 100644 --- a/roles/ssh_hardening/vars/Debian.yml +++ b/roles/ssh_hardening/vars/Debian.yml @@ -7,3 +7,13 @@ ssh_group: root ssh_selinux_packages: - policycoreutils-python - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + +sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/Fedora.yml b/roles/ssh_hardening/vars/Fedora.yml index 76558666c..31f84e619 100644 --- a/roles/ssh_hardening/vars/Fedora.yml +++ b/roles/ssh_hardening/vars/Fedora.yml @@ -7,3 +7,15 @@ ssh_group: root ssh_selinux_packages: - python3-policycoreutils - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/roles/ssh_hardening/vars/FreeBSD.yml b/roles/ssh_hardening/vars/FreeBSD.yml index 4a69f2415..af56b0d38 100644 --- a/roles/ssh_hardening/vars/FreeBSD.yml +++ b/roles/ssh_hardening/vars/FreeBSD.yml @@ -4,3 +4,13 @@ ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + +sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/OpenBSD.yml b/roles/ssh_hardening/vars/OpenBSD.yml index 546ce7742..e6ac1e2df 100644 --- a/roles/ssh_hardening/vars/OpenBSD.yml +++ b/roles/ssh_hardening/vars/OpenBSD.yml @@ -5,7 +5,12 @@ sshd_service_name: sshd ssh_owner: root ssh_group: wheel -ssh_gssapi_support: false +# true if SSH support Kerberos ssh_kerberos_support: false + +# true if SSH has PAM support ssh_pam_support: false + sshd_moduli_file: '/etc/moduli' + +sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/Oracle Linux.yml b/roles/ssh_hardening/vars/Oracle Linux.yml deleted file mode 100644 index 36f0ee0d1..000000000 --- a/roles/ssh_hardening/vars/Oracle Linux.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -sshd_path: /usr/sbin/sshd -ssh_host_keys_dir: '/etc/ssh' -sshd_service_name: sshd -ssh_owner: root -ssh_group: root -ssh_selinux_packages: - - policycoreutils-python - - checkpolicy diff --git a/roles/ssh_hardening/vars/RedHat.yml b/roles/ssh_hardening/vars/RedHat.yml index 36f0ee0d1..35a1fba41 100644 --- a/roles/ssh_hardening/vars/RedHat.yml +++ b/roles/ssh_hardening/vars/RedHat.yml @@ -7,3 +7,15 @@ ssh_group: root ssh_selinux_packages: - policycoreutils-python - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/roles/ssh_hardening/vars/RedHat_8.yml b/roles/ssh_hardening/vars/RedHat_8.yml index 76558666c..31f84e619 100644 --- a/roles/ssh_hardening/vars/RedHat_8.yml +++ b/roles/ssh_hardening/vars/RedHat_8.yml @@ -7,3 +7,15 @@ ssh_group: root ssh_selinux_packages: - python3-policycoreutils - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/roles/ssh_hardening/vars/SmartOS.yml b/roles/ssh_hardening/vars/SmartOS.yml index ef38877a0..63cdd62c6 100644 --- a/roles/ssh_hardening/vars/SmartOS.yml +++ b/roles/ssh_hardening/vars/SmartOS.yml @@ -5,4 +5,12 @@ sshd_service_name: ssh ssh_owner: root ssh_group: root +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support ssh_pam_support: false + +sshd_moduli_file: '/etc/ssh/moduli' + +sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/Suse.yml b/roles/ssh_hardening/vars/Suse.yml index 66aad6725..06ba6615c 100644 --- a/roles/ssh_hardening/vars/Suse.yml +++ b/roles/ssh_hardening/vars/Suse.yml @@ -5,4 +5,12 @@ sshd_service_name: sshd ssh_owner: root ssh_group: root +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: '/etc/ssh/moduli' + sshd_disable_crypto_policy: false diff --git a/roles/ssh_hardening/vars/main.yml b/roles/ssh_hardening/vars/main.yml new file mode 100644 index 000000000..99b7004c6 --- /dev/null +++ b/roles/ssh_hardening/vars/main.yml @@ -0,0 +1,52 @@ +--- +ssh_macs_53_default: + - hmac-ripemd160 + - hmac-sha1 + +ssh_macs_53_el_6_5_default: + - hmac-sha2-512 + - hmac-sha2-256 + +ssh_macs_59_default: + - hmac-sha2-512 + - hmac-sha2-256 + - hmac-ripemd160 + +ssh_macs_66_default: + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 + +ssh_macs_76_default: + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 + +ssh_ciphers_53_default: + - aes256-ctr + - aes192-ctr + - aes128-ctr + +ssh_ciphers_66_default: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr + +ssh_kex_59_default: + - diffie-hellman-group-exchange-sha256 + +ssh_kex_66_default: + - curve25519-sha256@libssh.org + - diffie-hellman-group-exchange-sha256 + +ssh_kex_80_default: + - sntrup4591761x25519-sha512@tinyssh.org + - curve25519-sha256@libssh.org + - diffie-hellman-group-exchange-sha256