97 lines
3.4 KiB
Django/Jinja
97 lines
3.4 KiB
Django/Jinja
# This is the sshd server system-wide configuration file deployed and managed by
|
|
# Ansible.
|
|
# See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more
|
|
# information.
|
|
|
|
# This config doesn't set all options and leaves some to the sshd defaults.
|
|
# The sshd defaults should be alright, so this config is only really setting
|
|
# options in cases where we want to intentionally have an option a certain way
|
|
# for some reason or another. For example for hardening, improved loggin, etc.
|
|
|
|
|
|
## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern
|
|
## guidelines.
|
|
|
|
# Supported HostKey algorithms by order of preference.
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
|
|
## Authentication Settings.
|
|
|
|
# Require only "publickey" for authentication.
|
|
# From Mozillas Modern guidelines.
|
|
AuthenticationMethods publickey
|
|
|
|
# Enable "PubkeyAuthentication" accordingly.
|
|
PubkeyAuthentication yes
|
|
# Don't do the other authentication types.
|
|
PasswordAuthentication no
|
|
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
|
|
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
|
|
KbdInteractiveAuthentication no
|
|
{% else %}
|
|
ChallengeResponseAuthentication no
|
|
{% endif %}
|
|
KerberosAuthentication no
|
|
GSSAPIAuthentication no
|
|
|
|
# Don't allow root login.
|
|
PermitRootLogin no
|
|
|
|
{# If on Debian 12, use the new keyword (KbdInteractiveAuthentication instead of ChallengeResponseAuthentication). #}
|
|
{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
|
|
# Set this to "yes", but have "PasswordAuthentication" and
|
|
# "KbdInteractiveAuthentication" set to "no", to have account and session checks
|
|
# run.
|
|
{% else %}
|
|
# Set this to "yes", but have "PasswordAuthentication" and
|
|
# "ChallengeResponseAuthentication" set to "no", to have account and session
|
|
# checks run.
|
|
{% endif %}
|
|
# See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more
|
|
# information.
|
|
UsePAM yes
|
|
|
|
|
|
## Miscellaneous Settings.
|
|
|
|
# X11 forwarding shouldn't be needed.
|
|
X11Forwarding no
|
|
|
|
# Printing this isn't needed.
|
|
PrintMotd no
|
|
|
|
# Print time and date of last login, since that's nice.
|
|
PrintLastLog yes
|
|
|
|
# Disable general environment processing.
|
|
PermitUserEnvironment no
|
|
|
|
# Allow client to pass locale environment variables.
|
|
# From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Request response from client after 120 seconds of no communication.
|
|
# Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
ClientAliveInterval 120
|
|
|
|
|
|
## Logging
|
|
|
|
# Set "LogLevel" to "VERBOSE" to log users key fingerprints on login.
|
|
# This is needed for a clear audit track.
|
|
# From Mozillas Modern guidelines.
|
|
LogLevel VERBOSE
|
|
|
|
# Enable the sftp subsystem and log properly.
|
|
# From Mozillas Modern guidelines and
|
|
# "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config".
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|