From 13b592dfcd2076b5271dc86911bbd17d53ed7dc4 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Wed, 7 Jan 2015 01:45:35 +0300 Subject: [PATCH] roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth --- roles/common/templates/sshd_config_Ubuntu-14.04.j2 | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/common/templates/sshd_config_Ubuntu-14.04.j2 b/roles/common/templates/sshd_config_Ubuntu-14.04.j2 index 80240c1..62a52b3 100644 --- a/roles/common/templates/sshd_config_Ubuntu-14.04.j2 +++ b/roles/common/templates/sshd_config_Ubuntu-14.04.j2 @@ -9,7 +9,6 @@ Port 22 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -86,10 +85,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server # and ChallengeResponseAuthentication to 'no'. UsePAM yes -# bettercrypto.org - June, 2014 +# https://stribika.github.io/2015/01/04/secure-secure-shell.html Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 {% if ssh_allowed_users is defined and ssh_allowed_users %} # Is there a list of allowed users?