roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards

Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
Alan Orth 2015-05-31 23:48:14 +03:00
parent b2dbd138f7
commit e84f777a6b

View File

@ -9,8 +9,6 @@ Port 22
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@ -58,10 +56,10 @@ PasswordAuthentication yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
X11Forwarding yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
@ -85,4 +83,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UsePAM yes
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
AllowUsers {{ ssh_allowed_users }} provisioning
{% endif %}