Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update and add annotations to sshd config for servers #5666

Merged
merged 3 commits into from
Feb 11, 2021
Merged

Update and add annotations to sshd config for servers #5666

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
00ceaeb
Updates sshd config
emkll Dec 2, 2020
54abdb2
Use ditribution-default host key algorithms
emkll Dec 15, 2020
3f4f6ac
Update sshd config based on feedback
emkll Jan 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
49 changes: 37 additions & 12 deletions install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,30 @@ Port 22
ListenAddress {{ ssh_listening_address }}:22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Enforce privilege separation by creating unprivileged child process
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 4096

# Logging options

SyslogFacility AUTH
LogLevel INFO

# Authentication options

LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
# Only users in the ssh group to authenticate
AllowGroups ssh
# Don't use host-based authentication
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
Expand All @@ -22,20 +34,33 @@ ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosGetAFSToken no
GSSAPIAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
UsePAM no
UseDNS no

# Cipher selection

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
Copy link
Contributor

@kushaldas kushaldas Jan 6, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need chacha20-poly1305@openssh.com?
chacha20 is specially being used from the cheap phones which does not have good hardware. And our users will use Tails on proper hardware to ssh.

# Don't use SHA1 for kex
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Don't use SHA1 for hashing, don't use encrypt-and-MAC mode
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

# Network

ClientAliveInterval 300
ClientAliveCountMax 0
Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256,hmac-sha2-512
# Do not allow remote port forwarding to bind to non-loopback addresses
GatewayPorts no
AllowGroups ssh
# DisableX11 and agent forwarding, tunnelling
AllowTcpForwarding no
PasswordAuthentication no
AllowAgentForwarding no
PermitTunnel no
X11Forwarding no
X11DisplayOffset 10

# Misc configuration

PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
5 changes: 5 additions & 0 deletions molecule/testinfra/common/test_system_hardening.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,11 @@ def test_twofactor_disabled_on_tty(host):
('PasswordAuthentication', 'no'),
('PubkeyAuthentication', 'yes'),
('RSAAuthentication', 'yes'),
('AllowGroups', 'ssh'),
('AllowTcpForwarding', 'no'),
('AllowAgentForwarding', 'no'),
('PermitTunnel', 'no'),
('X11Forwarding', 'no'),
])
def test_sshd_config(host, sshd_opts):
"""
Expand Down