Updates sshd config

- Update supported algorthms
- Disable some agent forwarding and tunnelling options
- Annotate and reorder configuration for readability

Sources:
- https://github.com/dev-sec/ansible-ssh-hardening
- https://github.com/arthepsy/ssh-audit

install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config

@@ -2,18 +2,29 @@ Port 22
 ListenAddress {{ ssh_listening_address }}:22
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Enforce privilege separation by creating unprivileged child process
 UsePrivilegeSeparation yes
 KeyRegenerationInterval 3600
 ServerKeyBits 4096
+
+# Logging options
+
 SyslogFacility AUTH
 LogLevel INFO
+
+# Authentication options
+
 LoginGraceTime 120
 PermitRootLogin no
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
+PasswordAuthentication no
+# Only users in the ssh group to authenticate
+AllowGroups ssh
+# Don't use host-based authentication
 IgnoreRhosts yes
 RhostsRSAAuthentication no
 HostbasedAuthentication no
@@ -22,20 +33,34 @@ ChallengeResponseAuthentication no
 KerberosAuthentication no
 KerberosGetAFSToken no
 GSSAPIAuthentication no
-X11Forwarding no
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-AcceptEnv LANG LC_*
 UsePAM no
 UseDNS no
+
+# Cipher selection
+
+Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes128-ctr
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+# Don't use SHA1 for kex
+KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
+# Don't use SHA1 for hashing, don't use encrypt-and-MAC mode
+MACs [email protected],[email protected],[email protected]
+
+# Network
+
 ClientAliveInterval 300
 ClientAliveCountMax 0
-Ciphers [email protected],aes256-ctr,[email protected]
-KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
-MACs hmac-sha2-256,hmac-sha2-512
+# Do not allow remote port forwarding to bind to non-loopback addresses
 GatewayPorts no
-AllowGroups ssh
+# DisableX11 and agent forwarding, tunnelling
 AllowTcpForwarding no
-PasswordAuthentication no
+AllowAgentForwarding no
+PermitTunnel no
+X11Forwarding no
+X11DisplayOffset 10
+
+# Misc configuration
+
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+AcceptEnv LANG LC_*

molecule/testinfra/common/test_system_hardening.py

@@ -110,6 +110,11 @@ def test_twofactor_disabled_on_tty(host):
   ('PasswordAuthentication', 'no'),
   ('PubkeyAuthentication', 'yes'),
   ('RSAAuthentication', 'yes'),
+  ('AllowGroups', 'ssh'),
+  ('AllowTcpForwarding', 'no'),
+  ('AllowAgentForwarding', 'no'),
+  ('PermitTunnel', 'no'),
+  ('X11Forwarding', 'no'),
 ])
 def test_sshd_config(host, sshd_opts):
     """