From b945240756ddc1a80bb3aa3464bc6f82ffc29d5d Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 19 Jun 2017 10:13:24 +0300 Subject: [PATCH] roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04 From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH --- roles/common/templates/sshd_config_Debian-9.j2 | 11 +++++++++-- roles/common/templates/sshd_config_Ubuntu-16.04.j2 | 8 ++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/common/templates/sshd_config_Debian-9.j2 b/roles/common/templates/sshd_config_Debian-9.j2 index 542a9cb..6eb4a00 100644 --- a/roles/common/templates/sshd_config_Debian-9.j2 +++ b/roles/common/templates/sshd_config_Debian-9.j2 @@ -15,15 +15,17 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -HostKey /etc/ssh/ssh_host_rsa_key +# Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH -#LogLevel INFO +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE # Authentication: @@ -32,6 +34,8 @@ PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 +# Password based logins are disabled - only public key based logins are allowed. +AuthenticationMethods publickey #PubkeyAuthentication yes @@ -56,6 +60,9 @@ AuthorizedKeysFile .ssh/authorized_keys #PasswordAuthentication yes #PermitEmptyPasswords no +# Password based logins are disabled - only public key based logins are allowed. +AuthenticationMethods publickey + # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no diff --git a/roles/common/templates/sshd_config_Ubuntu-16.04.j2 b/roles/common/templates/sshd_config_Ubuntu-16.04.j2 index ca53ddc..9640d88 100644 --- a/roles/common/templates/sshd_config_Ubuntu-16.04.j2 +++ b/roles/common/templates/sshd_config_Ubuntu-16.04.j2 @@ -8,8 +8,9 @@ Port 22 #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key +# Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -19,12 +20,15 @@ ServerKeyBits 1024 # Logging SyslogFacility AUTH -LogLevel INFO +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE # Authentication: LoginGraceTime 120 PermitRootLogin prohibit-password StrictModes yes +# Password based logins are disabled - only public key based logins are allowed. +AuthenticationMethods publickey RSAAuthentication yes PubkeyAuthentication yes