Commit 0a08267f authored by David Mehren's avatar David Mehren

Update config to use upstreams order and add link to Mozilla guidelines

parent 2b949aaf
# MANAGED BY ANSIBLE
# EVERY CHANGE WILL BE PURGED
{% for item in sshd_ports %}
Port {{ item }}
{% endfor %}
#AddressFamily any
{% for item in sshd_listen_addresses %}
ListenAddress {{ item }}
{% endfor %}
......@@ -16,7 +12,7 @@ PubkeyAuthentication {{ 'yes' if sshd_allow_pubkeys else 'no' }}
PasswordAuthentication {{ 'yes' if sshd_allow_passwords else 'no' }}
PermitEmptyPasswords no
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
......@@ -30,16 +26,26 @@ TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
###### EVERYTHING BELOW IS SUGGESTED BY MOZILLA ######
LogLevel VERBOSE
######## EVERYTHING BELOW IS SUGGESTED BY MOZILLA #########
# See https://infosec.mozilla.org/guidelines/openssh.html #
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment