roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-31 23:48:14 +03:00 · 2015-05-31 23:48:14 +03:00 · e84f777a6b
parent b2dbd138f7
commit e84f777a6b
1 changed files with 15 additions and 6 deletions
--- a/roles/common/templates/sshd_config_Ubuntu-15.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-15.04.j2
@ -9,8 +9,6 @@ Port 22
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
@ -58,10 +56,10 @@ PasswordAuthentication yes
 #KerberosTicketCleanup yes

 # GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes

-X11Forwarding yes
+X11Forwarding no
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
@ -85,4 +83,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
+UsePAM yes
+
+# https://stribika.github.io/2015/01/04/secure-secure-shell.html
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+# Is there a list of allowed users?
+# Is it populated? (An empty list is 'None', which evaluates as False in Python)
+AllowUsers {{ ssh_allowed_users }} provisioning
+{% endif %}