Update deploy_ssh_server_config role for Debian 12 support
This commit is contained in:
julian
parent
f62135e263
commit
23deedf0d6
4 changed files with 139 additions and 2 deletions
|
|
@ -1,85 +0,0 @@
|
|||
# This is the sshd server system-wide configuration file deployed and managed by
|
||||
# Ansible.
|
||||
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
|
||||
# information.
|
||||
|
||||
# This config doesn't set all options and leaves some to the sshd defaults.
|
||||
# The sshd defaults should be alright, so this config is only really setting
|
||||
# options in cases where we want to intentionally have an option a certain way
|
||||
# for some reason or another. For example for hardening, improved loggin, etc.
|
||||
|
||||
|
||||
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
|
||||
## guidelines.
|
||||
|
||||
# Supported HostKey algorithms by order of preference.
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
|
||||
|
||||
## Authentication Settings.
|
||||
|
||||
# Require only "publickey" for authentication.
|
||||
# From Mozillas Modern guidelines.
|
||||
AuthenticationMethods publickey
|
||||
|
||||
# Enable "PubkeyAuthentication" accordingly.
|
||||
PubkeyAuthentication yes
|
||||
# Don't do the other authentication types.
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
KerberosAuthentication no
|
||||
GSSAPIAuthentication no
|
||||
|
||||
# Don't allow root login.
|
||||
PermitRootLogin no
|
||||
|
||||
# Set this to "yes", but have "PasswordAuthentication" and
|
||||
# "ChallengeResponseAuthentication" set to "no", to have account and session
|
||||
# checks run.
|
||||
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
|
||||
# information.
|
||||
UsePAM yes
|
||||
|
||||
|
||||
## Miscellaneous Settings.
|
||||
|
||||
# X11 forwarding shouldn't be needed.
|
||||
X11Forwarding no
|
||||
|
||||
# Printing this isn't needed.
|
||||
PrintMotd no
|
||||
|
||||
# Print time and date of last login, since that's nice.
|
||||
PrintLastLog yes
|
||||
|
||||
# Disable general environment processing.
|
||||
PermitUserEnvironment no
|
||||
|
||||
# Allow client to pass locale environment variables.
|
||||
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# Request response from client after 120 seconds of no communication.
|
||||
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
||||
ClientAliveInterval 120
|
||||
|
||||
|
||||
## Logging
|
||||
|
||||
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
|
||||
# This is needed for a clear audit track.
|
||||
# From Mozillas Modern guidelines.
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Enable the sftp subsystem and log properly.
|
||||
# From Mozillas Modern guidelines and
|
||||
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
Loading…
Add table
Add a link
Reference in a new issue