From cf16264f53d0d4d9b1a31c291527578638687ed7 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sun, 15 Sep 2019 15:15:30 +0300 Subject: [PATCH] roles/common: Update sshd_config template for Debian 10 It seems I had imported the stock one from a default install, but I never configured it. --- .../common/templates/sshd_config_Debian-10.j2 | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/roles/common/templates/sshd_config_Debian-10.j2 b/roles/common/templates/sshd_config_Debian-10.j2 index ee96291..0c21643 100644 --- a/roles/common/templates/sshd_config_Debian-10.j2 +++ b/roles/common/templates/sshd_config_Debian-10.j2 @@ -16,28 +16,29 @@ #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH -#LogLevel INFO +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +PermitRootLogin prohibit-password #StrictModes yes -#MaxAuthTries 6 +MaxAuthTries 3 #MaxSessions 10 #PubkeyAuthentication yes -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -86,13 +87,14 @@ UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -X11Forwarding yes +X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes +#UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -119,3 +121,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server + +# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html +# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now +# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + +# only allow shell access by provisioning user +AllowUsers {{ provisioning_user.name }}