For security and compliance purposes, the following SSH ciphers are disabled in MCP:
arcfour
arcfour128
arcfour256
The default ciphers can be changed in the
classes/cluster/<cluster_name>/openssh/server/single.yml
file of your
Reclass model to satisfy the cluster needs. Mirantis highly recommends
adjusting the cipher suites according to compliance requirements as well as
applying and testing the changes on staging environments first.
The structure with enabled ciphers from openssh/server/single.yml
is converted to a comma-separated string in /etc/ssh/sshd_config
.
For a list of all supported ciphers, inspect man sshd_config.5
on any node
of your MCP cluster.
Warning
The following instruction can potentially lead to security or compliance issues on your cluster. Therefore, proceed at your own risk.
To configure SSH ciphers:
Log in to the Salt Master node.
In the classes/cluster/<cluster_name>/openssh/server/single.yml
file of
your Reclass model, add the supported SSH ciphers under the ciphers
parameter as follows:
parameters:
openssh:
server:
ciphers:
"<cipher_name>":
enabled: True
The following SSH ciphers are enabled by default in MCP:
parameters:
openssh:
server:
ciphers:
"3des-cbc":
enabled: True
"aes128-cbc":
enabled: True
"aes192-cbc":
enabled: True
"aes256-cbc":
enabled: True
"aes128-ctr":
enabled: True
"aes192-ctr":
enabled: True
"aes256-ctr":
enabled: True
"aes128-gcm@openssh.com":
enabled: True
"aes256-gcm@openssh.com":
enabled: True
"chacha20-poly1305@openssh.com":
enabled: True
"rijndael-cbc@lysator.liu.se":
enabled: True
Apply the changes:
salt -C 'I@salt:control' state.sls openssh.server.service linux.system