Add option to set server key algorithms
- KexAlgorithms
- HostKeyAlgorithms
Related: PROD-35275
Change-Id: I82b18ff7cc7583dd1ecf5cc90842369617bcd27a
diff --git a/README.rst b/README.rst
index d7fb88a..3a701d4 100644
--- a/README.rst
+++ b/README.rst
@@ -236,7 +236,29 @@
publickey:
enabled: true
+* The OpenSSH server configuration with the Key Exchange algorithms list:
+ .. code-block:: yaml
+
+ openssh:
+ server:
+ kexalgorithms:
+ curve25519-sha256:
+ enabled: true
+ ecdh-sha2-nistp384:
+ enabled: true
+
+The OpenSSH server configuration with the Host Key algorithms list:
+
+ .. code-block:: yaml
+
+ openssh:
+ server:
+ hostkeyalgorithms:
+ rsa-sha2-256:
+ enabled: true
+ ecdsa-sha2-nistp256:
+ enabled: true
* OpenSSH server configuration supports AllowUsers, DenyUsers, AllowGroup,
DenyGroups via allow_users, deny_users, allow_groups, deny_groups keys respectively.
diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index b388384..1a714cf 100755
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -235,6 +235,22 @@
{%- endif %}
+{%- if server.kexalgorithms is defined %}
+{%- set kexalgorithms_list = [] %}
+{%- for k, v in server.kexalgorithms.items() %}
+{%- set _ = kexalgorithms_list.append(k) if v.get('enabled', False) %}
+{%- endfor %}
+KexAlgorithms {{ kexalgorithms_list|join(',') }}
+{%- endif %}
+
+{%- if server.hostkeyalgorithms is defined %}
+{%- set hostkeyalgorithms_list = [] %}
+{%- for k, v in server.hostkeyalgorithms.items() %}
+{%- set _ = hostkeyalgorithms_list.append(k) if v.get('enabled', False) %}
+{%- endfor %}
+HostKeyAlgorithms {{ hostkeyalgorithms_list|join(',') }}
+{%- endif %}
+
{%- if server.ciphers is defined %}
{%- set ciphers_list = [] %}
{%- for k, v in server.ciphers.items() %}