Minor updates to the sshd_config

[dguido]

I discovered ssh_scan and the Mozilla OpenSSH Security Guidelines tonight, and discovered a few enhancements we can make to the sshd_config in the process.

HostKeys are apparently an ordered list and OpenSSH still includes RSA and DSA keys by default. We can remove both of those and leave only the ED25519 and ECDSA keys.

# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

There is a HostKeyAlgorithms parameter in sshd_config but I haven't gone through it in enough detail to pick a list of allowed algorithms yet. I think that simply limiting the host key choices to only the above should do what we want for now.

There is an AuthenticationMethods option in newer version of OpenSSH intended to rollup the list of allowed auth methods into a single place. This should be set to pubkey only:

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey

Astonishingly, OpenSSH does not use seccomp out of the box. You have to configure it by hand.

# Use kernel sandbox mechanisms where possible in unprivilegied processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox

None of these make algo radically safer, but they are nice to have.

[dguido]

Few more extraneous options we can remove

• RSAAuthentication yes should be no
• Turn off SFTP
• Turn off X11 forwarding