From f0b843ce3adf2a64f23c865a41265f434ff2d4ce Mon Sep 17 00:00:00 2001
From: Dominik Richter <dominik.richter@gmail.com>
Date: Tue, 13 Jan 2015 11:23:20 +0100
Subject: [PATCH] reprioritize etm macs

    See:

    * https://github.com/TelekomLabs/chef-ssh-hardening/issues/66
    * https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
---
 lib/puppet/parser/functions/get_ssh_macs.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/puppet/parser/functions/get_ssh_macs.rb b/lib/puppet/parser/functions/get_ssh_macs.rb
index 690c96d..b856516 100644
--- a/lib/puppet/parser/functions/get_ssh_macs.rb
+++ b/lib/puppet/parser/functions/get_ssh_macs.rb
@@ -29,7 +29,7 @@
   macs_59['weak'] = macs_59['default'] + ',hmac-sha1'
 
   macs_66 = {}
-  macs_66.default = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160'
+  macs_66.default = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
   macs_66['weak'] = macs_66['default'] + ',hmac-sha1'
 
   # creat the default version map (if os + version are default)