roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04
By now the recommendations we were using as guidance are five years old. The ciphers have not changed much since then.
This commit is contained in:
parent
5a58d93dfe
commit
6fcb1290fe
|
|
@ -18,28 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
|
|||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
#PermitRootLogin prohibit-password
|
||||
PermitRootLogin prohibit-password
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
MaxAuthTries 4
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
|
|
@ -88,7 +89,7 @@ UsePAM yes
|
|||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
X11Forwarding yes
|
||||
X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
|
|
@ -122,3 +123,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
PasswordAuthentication yes
|
||||
|
||||
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# only allow shell access by provisioning user
|
||||
AllowUsers {{ provisioning_user.name }}
|
||||
|
|
|
|||
Loading…
Reference in New Issue