From 57af90a86d8bf5fa7ed488bb5028c14e943b345b Mon Sep 17 00:00:00 2001 From: mickael e Date: Wed, 2 Dec 2020 10:53:57 -0500 Subject: [PATCH] Updates sshd config - Update supported algorthms - Disable some agent forwarding and tunnelling options - Annotate and reorder configuration for readability Sources: - https://github.com/dev-sec/ansible-ssh-hardening - https://github.com/arthepsy/ssh-audit --- .../templates/sshd_config | 51 ++++++++++++++----- 1 file changed, 38 insertions(+), 13 deletions(-) diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config index 7d305114fb..c4904c27fd 100644 --- a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config +++ b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config @@ -2,18 +2,29 @@ Port 22 ListenAddress {{ ssh_listening_address }}:22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Enforce privilege separation by creating unprivileged child process UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 4096 + +# Logging options + SyslogFacility AUTH LogLevel INFO + +# Authentication options + LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes +PasswordAuthentication no +# Only users in the ssh group to authenticate +AllowGroups ssh +# Don't use host-based authentication IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no @@ -22,20 +33,34 @@ ChallengeResponseAuthentication no KerberosAuthentication no KerberosGetAFSToken no GSSAPIAuthentication no -X11Forwarding no -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -AcceptEnv LANG LC_* UsePAM no UseDNS no + +# Cipher selection + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr +HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 +# Don't use SHA1 for kex +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +# Don't use SHA1 for hashing, don't use encrypt-and-MAC mode +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + +# Network + ClientAliveInterval 300 ClientAliveCountMax 0 -Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -MACs hmac-sha2-256,hmac-sha2-512 +# Do not allow remote port forwarding to bind to non-loopback addresses GatewayPorts no -AllowGroups ssh +# DisableX11 and agent forwarding, tunnelling AllowTcpForwarding no -PasswordAuthentication no +AllowAgentForwarding no +PermitTunnel no +X11Forwarding no +X11DisplayOffset 10 + +# Misc configuration + +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +AcceptEnv LANG LC_*