From 5c39f1abd8f92fabb893601617702e956d18f07a Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Thu, 10 Aug 2023 22:10:04 +0200
Subject: [PATCH] roles/common: minor changes to Debian sshd_config files

---
 roles/common/templates/sshd_config_Debian-11.j2 | 4 ++--
 roles/common/templates/sshd_config_Debian-12.j2 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/common/templates/sshd_config_Debian-11.j2 b/roles/common/templates/sshd_config_Debian-11.j2
index 156ce01..b36ba5d 100644
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@@ -126,7 +126,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
- 
+
 # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
 # with less than 256 bits removed, as NSA's Suite B removed them years ago and
 # the new (2018) CNSA suite is 256 bits and up.
@@ -135,7 +135,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
diff --git a/roles/common/templates/sshd_config_Debian-12.j2 b/roles/common/templates/sshd_config_Debian-12.j2
index 946a302..a47ba03 100644
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@@ -134,7 +134,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}