alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/common: adjust sshd_config for Debian 12

Browse Source 
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
This commit is contained in:
Alan Orth 2023-08-09 21:27:19 +02:00
parent b8f0b4b1fb
commit 4fa82faf18
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
1 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
roles/common/templates/sshd_config_Debian-12.j2
View File

@ -18,27 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
#LogLevel INFO # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication: # Authentication:
#LoginGraceTime 2m #LoginGraceTime 2m
PermitRootLogin yes PermitRootLogin prohibit-password
#StrictModes yes #StrictModes yes
#MaxAuthTries 6 MaxAuthTries 4
#MaxSessions 10 #MaxSessions 10
#PubkeyAuthentication yes #PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none #AuthorizedPrincipalsFile none
@ -87,7 +89,7 @@ UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
X11Forwarding yes X11Forwarding no
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@ -120,3 +122,21 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
# the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}