Created
March 22, 2017 11:10
-
-
Save Office-Manager/f751e8cd287edcb8b195c1cb96b61812 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Ansible managed | |
# This is the ssh client system-wide configuration file. | |
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. | |
# Basic configuration | |
# =================== | |
# Either disable or only allowssh root login via certificates. | |
PermitRootLogin no | |
# Define which port sshd should listen to. Default to `22`. | |
Port 22 | |
# Address family should always be limited to the active network configuration. | |
AddressFamily inet | |
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone. | |
ListenAddress 0.0.0.0 | |
# List HostKeys here. | |
HostKey /etc/ssh/ssh_host_rsa_key # Req 20 | |
HostKey /etc/ssh/ssh_host_ecdsa_key # Req 20 | |
HostKey /etc/ssh/ssh_host_ed25519_key # Req 20 | |
# Security configuration | |
# ====================== | |
# Set the protocol version to 2 for security reasons. Disables legacy support. | |
Protocol 2 | |
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration. | |
StrictModes yes | |
# Logging, obsoletes QuietMode and FascistLogging | |
SyslogFacility AUTH | |
LogLevel VERBOSE | |
# Cryptography | |
# ------------ | |
# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added | |
# CBC: is true if you want to connect with OpenSSL-base libraries | |
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work | |
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) | |
# | |
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. | |
# Weak HMAC is sometimes required if older package versions are used | |
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. | |
# | |
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | |
# Alternative setting, if OpenSSH version is below v5.9 | |
#MACs hmac-ripemd160 | |
# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary | |
# Weak kex is sometimes required if older package versions are used | |
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. | |
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf | |
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
# Authentication | |
# -------------- | |
# Secure Login directives. | |
UseLogin no | |
UsePrivilegeSeparation sandbox | |
PermitUserEnvironment no | |
LoginGraceTime 30s | |
MaxAuthTries 2 | |
MaxSessions 10 | |
MaxStartups 10:30:100 | |
# Enable public key authentication | |
PubkeyAuthentication yes | |
# Never use host-based authentication. It can be exploited. | |
IgnoreRhosts yes | |
IgnoreUserKnownHosts yes | |
HostbasedAuthentication no | |
# Enable PAM to enforce system wide rules | |
UsePAM yes | |
# Disable password-based authentication, it can allow for potentially easier brute-force attacks. | |
PasswordAuthentication no | |
PermitEmptyPasswords no | |
ChallengeResponseAuthentication no | |
# Only enable Kerberos authentication if it is configured. | |
KerberosAuthentication no | |
KerberosOrLocalPasswd no | |
KerberosTicketCleanup yes | |
#KerberosGetAFSToken no | |
# Only enable GSSAPI authentication if it is configured. | |
GSSAPIAuthentication no | |
GSSAPICleanupCredentials yes | |
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. | |
AllowUsers efthruser | |
# Network | |
# ------- | |
# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel | |
TCPKeepAlive no | |
# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail. | |
ClientAliveInterval 600 | |
ClientAliveCountMax 3 | |
# Disable tunneling | |
PermitTunnel no | |
# Disable forwarding tcp connections. | |
# no real advantage without denied shell access | |
AllowTcpForwarding no | |
# Disable agent formwarding, since local agent could be accessed through forwarded connection. | |
# no real advantage without denied shell access | |
AllowAgentForwarding no | |
# Do not allow remote port forwardings to bind to non-loopback addresses. | |
GatewayPorts no | |
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. | |
X11Forwarding no | |
X11UseLocalhost yes | |
# Misc. configuration | |
# =================== | |
PrintMotd no | |
PrintLastLog no | |
Banner none | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment