Updates sshd config

- Update supported algorthms - Disable some agent forwarding and tunnelling options - Annotate and reorder configuration for readability Sources: - https://github.com/dev-sec/ansible-ssh-hardening - https://github.com/arthepsy/ssh-audit
freedomofpress · Dec 9, 2020 · 57af90a · 57af90a
1 parent 42c8eba
commit 57af90a
Showing 1 changed file with 38 additions and 13 deletions.
diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config
@@ -2,18 +2,29 @@ Port 22
 ListenAddress {{ ssh_listening_address }}:22
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Enforce privilege separation by creating unprivileged child process
 UsePrivilegeSeparation yes
 KeyRegenerationInterval 3600
 ServerKeyBits 4096
+
+# Logging options
+
 SyslogFacility AUTH
 LogLevel INFO
+
+# Authentication options
+
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
+PasswordAuthentication no
+# Only users in the ssh group to authenticate
+AllowGroups ssh
+# Don't use host-based authentication
 IgnoreRhosts yes
 RhostsRSAAuthentication no
 HostbasedAuthentication no
@@ -22,20 +33,34 @@ ChallengeResponseAuthentication no
 KerberosAuthentication no
 KerberosGetAFSToken no
 GSSAPIAuthentication no
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-AcceptEnv LANG LC_*
 UsePAM no
 UseDNS no
+
+# Cipher selection
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+# Don't use SHA1 for kex
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+# Don't use SHA1 for hashing, don't use encrypt-and-MAC mode
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+# Network
+
 ClientAliveInterval 300
 ClientAliveCountMax 0
-Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-MACs hmac-sha2-256,hmac-sha2-512
+# Do not allow remote port forwarding to bind to non-loopback addresses
 GatewayPorts no
-AllowGroups ssh
+# DisableX11 and agent forwarding, tunnelling
 AllowTcpForwarding no
-PasswordAuthentication no
+AllowAgentForwarding no
+PermitTunnel no
+X11Forwarding no
+X11DisplayOffset 10
+
+# Misc configuration
+
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+AcceptEnv LANG LC_*