roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04

By now the recommendations we were using as guidance are five years
old. The ciphers have not changed much since then.
This commit is contained in:
Alan Orth 2020-04-25 15:48:43 +03:00
parent 5a58d93dfe
commit 6fcb1290fe

View File

@ -18,28 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
#ListenAddress :: #ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
#LogLevel INFO # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication: # Authentication:
#LoginGraceTime 2m #LoginGraceTime 2m
#PermitRootLogin prohibit-password PermitRootLogin prohibit-password
#StrictModes yes #StrictModes yes
#MaxAuthTries 6 MaxAuthTries 4
#MaxSessions 10 #MaxSessions 10
#PubkeyAuthentication yes #PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none #AuthorizedPrincipalsFile none
@ -88,7 +89,7 @@ UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
X11Forwarding yes X11Forwarding no
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PermitTTY yes #PermitTTY yes
@ -122,3 +123,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user
AllowUsers {{ provisioning_user.name }}