Update sshd config based on feedback

- As pointed out by @kushaldas, chacha20-poly1305 mostly mobile-specific cipher, and while historically present in the sshd configuration for SecureDrop, is not necessary to support Debian-based ssh clients. - The UsePrivilegeSeparation option has been deprecated in OpenSSH 7.5 [1]. UsePrivilegeSeparation has defaulted to 'sandbox' since 6.1 [2] and to 'yes' since 3.3 [3]. [1] https://www.openssh.com/txt/release-7.5 [2] https://www.openssh.com/txt/release-6.1 [3] https://www.openssh.com/txt/release-3.3
freedomofpress · Jan 7, 2021 · 3f4f6ac · 3f4f6ac
1 parent 54abdb2
commit 3f4f6ac
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config
@@ -5,8 +5,6 @@ HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Enforce privilege separation by creating unprivileged child process
-UsePrivilegeSeparation yes
 KeyRegenerationInterval 3600
 ServerKeyBits 4096
 
@@ -39,7 +37,7 @@ UseDNS no
 
 # Cipher selection
 
-Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes128-ctr
+Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr
 # Don't use SHA1 for kex
 KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
 # Don't use SHA1 for hashing, don't use encrypt-and-MAC mode