Compare commits
1 Commits
debian13
...
6124a0bc49
| Author | SHA1 | Date | |
|---|---|---|---|
6124a0bc49
|
@@ -1,6 +1,7 @@
|
|||||||
---
|
---
|
||||||
# SSH configs don't change in Debian minor versions
|
# Only override the system sshd configuration on older Debian.
|
||||||
- name: Reconfigure /etc/ssh/sshd_config
|
- name: Reconfigure /etc/ssh/sshd_config
|
||||||
|
when: ansible_distribution_version is version('12', '<=')
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
|
src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
@@ -9,6 +10,18 @@
|
|||||||
mode: "0600"
|
mode: "0600"
|
||||||
notify: Reload sshd
|
notify: Reload sshd
|
||||||
|
|
||||||
|
# Newer OpenSSH versions support including extra configuration. The includes
|
||||||
|
# happen at the beginning of the file and the first value to be read is used.
|
||||||
|
- name: Configure sshd_config.d overrides
|
||||||
|
when: ansible_distribution_version is version('13', '>=')
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
|
||||||
|
dest: /etc/ssh/sshd_config.d/01-custom.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
notify: Reload sshd
|
||||||
|
|
||||||
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
|
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
|
||||||
- name: Remove small Diffie-Hellman SSH moduli
|
- name: Remove small Diffie-Hellman SSH moduli
|
||||||
block:
|
block:
|
||||||
|
|||||||
@@ -0,0 +1,34 @@
|
|||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
|
||||||
|
# audit track of which key was using to log in.
|
||||||
|
LogLevel VERBOSE
|
||||||
|
|
||||||
|
MaxAuthTries 4
|
||||||
|
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
{% if ssh_password_authentication == 'disabled' %}
|
||||||
|
PasswordAuthentication no
|
||||||
|
{% else %}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
X11Forwarding no
|
||||||
|
|
||||||
|
# Based on the ssh-audit profile for Debian 13, but with but with all algos with
|
||||||
|
# less than 256 bits removed, as NSA's Suite B removed them years ago and the
|
||||||
|
# new (2018) CNSA suite is 256 bits and up.
|
||||||
|
#
|
||||||
|
# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
|
||||||
|
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
|
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
|
||||||
|
|
||||||
|
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
||||||
|
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
|
||||||
|
{% endif %}
|
||||||
Reference in New Issue
Block a user