roles/common: Add encryption settings to Debian 11 sshd_config
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any algorithms using less than 256 bits removed. NSA's Suite B removed these long ago, and the new CNSA suite only uses 256 and up. See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
This commit is contained in:
parent
892033b880
commit
0bad75788d
@ -123,5 +123,16 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
|
||||
# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
|
||||
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
|
||||
# the new (2018) CNSA suite is 256 bits and up.
|
||||
#
|
||||
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
|
||||
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
|
||||
# only allow shell access by provisioning user
|
||||
AllowUsers {{ provisioning_user.name }}
|
||||
|
Loading…
Reference in New Issue
Block a user