roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04
By now the recommendations we were using as guidance are five years old. The ciphers have not changed much since then.
This commit is contained in:
parent
5a58d93dfe
commit
6fcb1290fe
|
|
@ -18,28 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf
|
||||||
#ListenAddress ::
|
#ListenAddress ::
|
||||||
|
|
||||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
# Ciphers and keying
|
||||||
#RekeyLimit default none
|
#RekeyLimit default none
|
||||||
|
|
||||||
# Logging
|
# Logging
|
||||||
#SyslogFacility AUTH
|
#SyslogFacility AUTH
|
||||||
#LogLevel INFO
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
||||||
|
LogLevel VERBOSE
|
||||||
|
|
||||||
# Authentication:
|
# Authentication:
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
#LoginGraceTime 2m
|
||||||
#PermitRootLogin prohibit-password
|
PermitRootLogin prohibit-password
|
||||||
#StrictModes yes
|
#StrictModes yes
|
||||||
#MaxAuthTries 6
|
MaxAuthTries 4
|
||||||
#MaxSessions 10
|
#MaxSessions 10
|
||||||
|
|
||||||
#PubkeyAuthentication yes
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
#AuthorizedPrincipalsFile none
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
|
@ -88,7 +89,7 @@ UsePAM yes
|
||||||
#AllowAgentForwarding yes
|
#AllowAgentForwarding yes
|
||||||
#AllowTcpForwarding yes
|
#AllowTcpForwarding yes
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
X11Forwarding yes
|
X11Forwarding no
|
||||||
#X11DisplayOffset 10
|
#X11DisplayOffset 10
|
||||||
#X11UseLocalhost yes
|
#X11UseLocalhost yes
|
||||||
#PermitTTY yes
|
#PermitTTY yes
|
||||||
|
|
@ -122,3 +123,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
# PermitTTY no
|
# PermitTTY no
|
||||||
# ForceCommand cvs server
|
# ForceCommand cvs server
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
|
|
||||||
|
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||||
|
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||||
|
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
|
# only allow shell access by provisioning user
|
||||||
|
AllowUsers {{ provisioning_user.name }}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue