roles/common: Add encryption settings to Debian 11 sshd_config

Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any algorithms using less than 256 bits removed. NSA's Suite B removed these long ago, and the new CNSA suite only uses 256 and up. See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
2021-07-24 22:28:59 +03:00 · 2021-07-24 22:28:59 +03:00 · 0bad75788d
parent 892033b880
commit 0bad75788d
1 changed files with 11 additions and 0 deletions
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@ -122,6 +122,17 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+ 
+# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

 # only allow shell access by provisioning user
 AllowUsers {{ provisioning_user.name }}