roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04

From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
This commit is contained in:
Alan Orth 2017-06-19 10:13:24 +03:00
parent e5939c830a
commit b945240756
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 15 additions and 4 deletions

View File

@ -15,15 +15,17 @@
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key # Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
# Logging # Logging
#SyslogFacility AUTH #SyslogFacility AUTH
#LogLevel INFO # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication: # Authentication:
@ -32,6 +34,8 @@ PermitRootLogin prohibit-password
#StrictModes yes #StrictModes yes
#MaxAuthTries 6 #MaxAuthTries 6
#MaxSessions 10 #MaxSessions 10
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
#PubkeyAuthentication yes #PubkeyAuthentication yes
@ -56,6 +60,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
ChallengeResponseAuthentication no ChallengeResponseAuthentication no

View File

@ -8,8 +8,9 @@ Port 22
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
Protocol 2 Protocol 2
# HostKeys for protocol version 2 # HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key # Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#Privilege Separation is turned on for security #Privilege Separation is turned on for security
UsePrivilegeSeparation yes UsePrivilegeSeparation yes
@ -19,12 +20,15 @@ ServerKeyBits 1024
# Logging # Logging
SyslogFacility AUTH SyslogFacility AUTH
LogLevel INFO # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication: # Authentication:
LoginGraceTime 120 LoginGraceTime 120
PermitRootLogin prohibit-password PermitRootLogin prohibit-password
StrictModes yes StrictModes yes
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
RSAAuthentication yes RSAAuthentication yes
PubkeyAuthentication yes PubkeyAuthentication yes