2022-11-21 12:56:57 +01:00
|
|
|
{% if hardening_sshd_enabled %}
|
|
|
|
|
|
|
|
Protocol 2 # Protocol 1 is fundamentally broken
|
|
|
|
StrictModes yes # Protects from misconfiguration
|
|
|
|
|
|
|
|
#ListenAddress [ip-here] # Listening address
|
2022-11-21 16:52:36 +01:00
|
|
|
Port {{ sshd_port }} # Listening port. Normal 22
|
2022-11-21 12:56:57 +01:00
|
|
|
|
|
|
|
AuthenticationMethods publickey # Only public key authentication allowed
|
|
|
|
AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }}
|
|
|
|
PubkeyAuthentication yes # Allow public key authentication
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication
|
|
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts
|
|
|
|
KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg.
|
|
|
|
|
|
|
|
#Only allow incoming ECDSA and ed25519 sessions:
|
|
|
|
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
|
|
|
|
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519
|
|
|
|
#CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
|
|
|
|
|
|
|
|
PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login
|
|
|
|
#AllowUsers [username] # Authorized SSH users are inside the admin group
|
|
|
|
MaxAuthTries 5 # Maximum allowed authentication attempts
|
|
|
|
MaxSessions 2 # Maximum allowed sessions by the user
|
|
|
|
|
|
|
|
PasswordAuthentication no # No username password authentication
|
|
|
|
PermitEmptyPasswords no # No empty password authentcation allowed
|
|
|
|
IgnoreRhosts yes # Dont read users rhost files
|
|
|
|
HostbasedAuthentication no # Disable host-based authentication
|
|
|
|
ChallengeResponseAuthentication no # Unused authentication scheme
|
|
|
|
X11Forwarding no # Disable X11 forwarding
|
|
|
|
|
|
|
|
LogLevel VERBOSE # Fingerprint details of failed login attempts
|
|
|
|
SyslogFacility AUTH # Logging authentication and authorization related commands
|
|
|
|
UseDNS no # Client from a location without proper DNS generate a warning in the logs
|
|
|
|
|
|
|
|
PermitTunnel no # Only SSH connection and nothing else
|
|
|
|
AllowTcpForwarding {{ 'yes' if hardening_sshd_tcp_forward else 'no' }} # Disablow tunneling out via SSH
|
|
|
|
AllowStreamLocalForwarding no # Disablow tunneling out via SSH
|
|
|
|
GatewayPorts no # Disablow tunneling out via SSH
|
|
|
|
AllowAgentForwarding no # Do not allow agent forwarding
|
|
|
|
|
|
|
|
{% if hardening_sshd_legal_banner %}
|
|
|
|
Banner /etc/issue.net # Show legal login banner
|
|
|
|
{% endif %}
|
|
|
|
PrintLastLog yes # Show last login
|
|
|
|
|
|
|
|
ClientAliveInterval 900 # Client timeout (15 minutes)
|
|
|
|
ClientAliveCountMax 0 # This way enforces timeouts on the server side
|
|
|
|
LoginGraceTime 30 # Authenticatin must happen within 30 seconds
|
|
|
|
MaxStartups 2 # Max concurrent SSH sessions
|
|
|
|
TCPKeepAlive yes # Do not use TCP keep-alive
|
|
|
|
|
|
|
|
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
|
|
|
|
|
|
|
|
{% endif %}
|