roles/common: adjust sshd_config for Debian 12
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
This commit is contained in:
parent
b8f0b4b1fb
commit
4fa82faf18
GPG Key ID:
0FB860CC9C45B1B9
|
|
@ -18,27 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
|
|||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
PermitRootLogin yes
|
||||
PermitRootLogin prohibit-password
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
MaxAuthTries 4
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
|
|
@ -87,7 +89,7 @@ UsePAM yes
|
|||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
|
|
@ -120,3 +122,21 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
|
||||
# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
|
||||
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
|
||||
# the new (2018) CNSA suite is 256 bits and up.
|
||||
#
|
||||
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
|
||||
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
||||
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
||||
|
||||
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
||||
# Is there a list of allowed users?
|
||||
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
|
||||
# merge the items of a list into one string using a space as a separator
|
||||
# http://jinja.pocoo.org/docs/dev/templates/#join
|
||||
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue