Unable to use cbc_required in client config

[FooBarTrixibell]

I have some switches that I need to ssh into from a single server. Even with the latest firmware they dont support secure ssh cyphers so I wanted to allow weak cyphers/kex.

To do this I added -

class { 'ssh_hardening': client_options => { 'cbc_required' => 'true', 'weak_hmac' => 'true', 'weak_kex' => 'true', }, }

This did not put the weak cyphers in so I tried Hiera -

ssh_hardening::client::weak_kex: 'true' ssh_hardening::client::weak_hmac: 'true' ssh_hardening::client::cbc_required: 'true'

This also did not work so I tried forcing it from init.pp -

class { 'ssh_hardening::client': ipv6_enabled => $ipv6_enabled, ports => $ports, #cbc_required => $cbc_required, #weak_hmac => $weak_hmac, #weak_kex => $weak_kex, cbc_required => true, weak_hmac => true, weak_kex => true, options => $client_options, }

Which also didn't work and I am not good enough at debugging puppet, so I ended up editing get_ssh_kex.rb, get_ssh_macs.rb and get_ssh_ciphers.rb to force the cyphers.

ie. ciphers_53.default = 'aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc'

However, this is not optimal as now all my servers can ssh to insecure locations.