From 892033b880b183d6865e11a5e7f4b50ece5c5917 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Thu, 22 Jul 2021 14:16:20 +0300 Subject: [PATCH] roles/common: port common settings to Debian 11 sshd_config Still need to add the encryption settings. --- .../common/templates/sshd_config_Debian-11.j2 | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/roles/common/templates/sshd_config_Debian-11.j2 b/roles/common/templates/sshd_config_Debian-11.j2 index dc0db57..995ddc7 100644 --- a/roles/common/templates/sshd_config_Debian-11.j2 +++ b/roles/common/templates/sshd_config_Debian-11.j2 @@ -18,28 +18,29 @@ Include /etc/ssh/sshd_config.d/*.conf #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH -#LogLevel INFO +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +PermitRootLogin prohibit-password #StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 4 #MaxSessions 10 #PubkeyAuthentication yes -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -88,7 +89,7 @@ UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -X11Forwarding yes +X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes @@ -121,3 +122,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server + +# only allow shell access by provisioning user +AllowUsers {{ provisioning_user.name }}