alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04 

From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
This commit is contained in:
Alan Orth 2017-06-19 10:13:24 +03:00
parent e5939c830a
commit b945240756
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
roles/common/templates/sshd_config_Debian-9.j2
View File

@ -15,15 +15,17 @@
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication:
@ -32,6 +34,8 @@ PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
#PubkeyAuthentication yes
@ -56,6 +60,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

8
roles/common/templates/sshd_config_Ubuntu-16.04.j2
View File

@ -8,8 +8,9 @@ Port 22
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@ -19,12 +20,15 @@ ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
RSAAuthentication yes
PubkeyAuthentication yes