From 114970ec4b5a47e59e273635fbe4178170457b83 Mon Sep 17 00:00:00 2001 From: staticsafe Date: Tue, 24 Mar 2020 11:15:30 -0400 Subject: [PATCH] Use a more generic sshd_config with our options. --- ubuntu/roles/common/files/sshd_config | 137 ++++++++++++++++---------- 1 file changed, 85 insertions(+), 52 deletions(-) diff --git a/ubuntu/roles/common/files/sshd_config b/ubuntu/roles/common/files/sshd_config index 6a6ce03..2af3b72 100644 --- a/ubuntu/roles/common/files/sshd_config +++ b/ubuntu/roles/common/files/sshd_config @@ -1,80 +1,76 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any #ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes +#ListenAddress :: -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none # Logging -SyslogFacility AUTH -LogLevel INFO +#SyslogFacility AUTH +#LogLevel INFO # Authentication: -LoginGraceTime 120 + +#LoginGraceTime 2m PermitRootLogin without-password -StrictModes yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys +#PubkeyAuthentication yes +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +#IgnoreRhosts yes -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no -# Change to no to disable tunnelled clear text passwords -PasswordAuthentication no - # Kerberos options #KerberosAuthentication no -#KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes +#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -87,3 +83,40 @@ Subsystem sftp /usr/lib/openssh/sftp-server # and ChallengeResponseAuthentication to 'no'. UsePAM yes +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server