From 0a08267f2110c3a45cf9cb05814c714c647a7ee5 Mon Sep 17 00:00:00 2001 From: David Mehren <dmehren1@gmail.com> Date: Wed, 15 Jan 2020 15:39:32 +0100 Subject: [PATCH] Update config to use upstreams order and add link to Mozilla guidelines --- templates/sshd_config.conf.j2 | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/templates/sshd_config.conf.j2 b/templates/sshd_config.conf.j2 index 8bd5e07..a64d3ec 100644 --- a/templates/sshd_config.conf.j2 +++ b/templates/sshd_config.conf.j2 @@ -1,11 +1,7 @@ -# MANAGED BY ANSIBLE -# EVERY CHANGE WILL BE PURGED - {% for item in sshd_ports %} Port {{ item }} {% endfor %} -#AddressFamily any {% for item in sshd_listen_addresses %} ListenAddress {{ item }} {% endfor %} @@ -16,7 +12,7 @@ PubkeyAuthentication {{ 'yes' if sshd_allow_pubkeys else 'no' }} PasswordAuthentication {{ 'yes' if sshd_allow_passwords else 'no' }} PermitEmptyPasswords no -AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication no UsePAM yes @@ -30,16 +26,26 @@ TCPKeepAlive yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -###### EVERYTHING BELOW IS SUGGESTED BY MOZILLA ###### - -LogLevel VERBOSE +######## EVERYTHING BELOW IS SUGGESTED BY MOZILLA ######### +# See https://infosec.mozilla.org/guidelines/openssh.html # +# Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key -Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO - KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE + +# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. +Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO + +# Use kernel sandbox mechanisms where possible in unprivileged processes +# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. +UsePrivilegeSeparation sandbox -- GitLab