From 286cecef56e409003dc0db27fd5455a453b2bcc4 Mon Sep 17 00:00:00 2001
From: Dominik Richter <dominik.richter@gmail.com>
Date: Tue, 13 Jan 2015 11:22:11 +0100
Subject: [PATCH] reprioritize etm macs

    See:

    * https://github.com/TelekomLabs/chef-ssh-hardening/issues/66
    * https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
---
 libraries/get_ssh_macs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/get_ssh_macs.rb b/libraries/get_ssh_macs.rb
index 64b11ff..ce3d769 100644
--- a/libraries/get_ssh_macs.rb
+++ b/libraries/get_ssh_macs.rb
@@ -34,7 +34,7 @@ def self.get_macs(node, weak_hmac)
         macs_59['weak'] = macs_59['default'] + ',hmac-sha1'
 
         macs_66 = {}
-        macs_66.default = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160'
+        macs_66.default = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
         macs_66['weak'] = macs_66['default'] + ',hmac-sha1'
 
         # determine the mac for the operating system