roles/common: Tune sshd_config to be more strict

Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.

See: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/common/templates/sshd_config_Ubuntu-14.04.j2

@@ -9,7 +9,6 @@ Port 22
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
@@ -86,10 +85,10 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 
-# bettercrypto.org - June, 2014
+# https://stribika.github.io/2015/01/04/secure-secure-shell.html
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?