From 3f4f6acd400c1367d7a0ae6fdcca797d9ec797e9 Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 7 Jan 2021 11:16:20 -0500 Subject: [PATCH] Update sshd config based on feedback - As pointed out by @kushaldas, chacha20-poly1305 mostly mobile-specific cipher, and while historically present in the sshd configuration for SecureDrop, is not necessary to support Debian-based ssh clients. - The UsePrivilegeSeparation option has been deprecated in OpenSSH 7.5 [1]. UsePrivilegeSeparation has defaulted to 'sandbox' since 6.1 [2] and to 'yes' since 3.3 [3]. [1] https://www.openssh.com/txt/release-7.5 [2] https://www.openssh.com/txt/release-6.1 [3] https://www.openssh.com/txt/release-3.3 --- .../roles/restrict-direct-access/templates/sshd_config | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config index 01822a00fe..dcd0d5aec1 100644 --- a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config +++ b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config @@ -5,8 +5,6 @@ HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key -# Enforce privilege separation by creating unprivileged child process -UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 4096 @@ -39,7 +37,7 @@ UseDNS no # Cipher selection -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr # Don't use SHA1 for kex KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Don't use SHA1 for hashing, don't use encrypt-and-MAC mode