Created
December 28, 2016 23:43
-
-
Save RiFi2k/41f3874f9747c9a5e611b105e373100a to your computer and use it in GitHub Desktop.
ssh-hardening/defaults/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Documentation: https://roots.io/trellis/docs/security/ | |
| # Which components to generate the configuration files for. | |
| # If remote machine doesn't have an SSH server then change the ssh_client_hardening to false. | |
| ssh_client_hardening: true # SSH | |
| ssh_server_hardening: true # SSHD | |
| # Set to true if CBC for ciphers is required. | |
| ssh_client_cbc_required: false # SSH | |
| ssh_server_cbc_required: false # SSHD | |
| # Set to true if weaker HMAC mechanisms are required. | |
| ssh_client_weak_hmac: false # SSH | |
| ssh_server_weak_hmac: false # SSHD | |
| # Set to true if weaker Key-Exchange (KEX) mechanisms are required. | |
| ssh_client_weak_kex: false # SSH | |
| ssh_server_weak_kex: false # SSHD | |
| # Set to true to allow logins with passwords. | |
| ssh_client_password_login: false # SSH | |
| ssh_server_password_login: false # SSHD | |
| network_ipv6_enable: false # SSHD + SSH | |
| # Port to which ssh-client should connect. | |
| ssh_client_port: 22 # SSH | |
| # Ports on which ssh-server should listen. | |
| ssh_server_ports: # SSHD | |
| - 22 | |
| # IP addresses which ssh-server should listen to, configure for extra security. | |
| ssh_listen_to: # SSHD | |
| - 0.0.0.0 | |
| # Host keys to look for when starting SSHD. | |
| ssh_host_key_files: # SSHD | |
| - /etc/ssh/ssh_host_ed25519_key | |
| - /etc/ssh/ssh_host_rsa_key | |
| # Specifies the host key algorithms that the client wants to use, in order of preference. | |
| ssh_host_key_algorithms: # SSH | |
| - ssh-ed25519-cert-v01@openssh.com | |
| - ssh-rsa-cert-v01@openssh.com | |
| - ssh-ed25519 | |
| - ssh-rsa | |
| # Specifies the maximum number of authentication attempts permitted per connection. | |
| # Once the number of failures reaches half this value, additional failures are logged. | |
| ssh_max_auth_retries: 6 | |
| ssh_client_alive_interval: 600 # SSHD | |
| ssh_client_alive_count: 3 # SSHD | |
| # Example hosts with custom options. | |
| # ssh_remote_hosts: | |
| # - names: | |
| # - example.com | |
| # - example2.com | |
| # options: | |
| # - Port 2222 | |
| # - ForwardAgent yes | |
| # - names: | |
| # - example3.com | |
| # options: | |
| # - StrictHostKeyChecking no | |
| ssh_remote_hosts: [] # SSH | |
| # Set to true to allow root to login via key-based mechanism. | |
| ssh_allow_root_with_key: false # SSHD | |
| # Set to true to allow TCP Forwarding. | |
| ssh_allow_tcp_forwarding: false # SSHD | |
| # Set to false to disable Agent Forwarding. | |
| ssh_allow_agent_forwarding: true # SSHD | |
| # PAM authentication enabled to avoid Debian bug with openssh-server. | |
| # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636 | |
| # can change to `false` once Canonical Main repository includes openssh 1:7.2p2-6 | |
| ssh_use_pam: true # SSHD | |
| # Login is disallowed for user names that match one of the patterns. | |
| ssh_deny_users: [] # SSHD | |
| # Login is allowed only for user names that match one of the patterns. | |
| ssh_allow_users: [] # SSHD | |
| # Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. | |
| ssh_deny_groups: [] # SSHD | |
| # Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. | |
| ssh_allow_groups: [] # SSHD | |
| # Set to true to enable printing of the MOTD. | |
| ssh_print_motd: false # SSHD | |
| # Set to true to display last login information. | |
| ssh_print_last_log: false # SSHD | |
| # Set to true to display /etc/ssh/banner.txt before authentication is allowed. | |
| ssh_banner: false # SSHD | |
| # Set to false to disable distribution version leakage during initial protocol handshake. | |
| ssh_print_debian_banner: false # SSHD | |
| ssh_send_env: '' # SSH | |
| ssh_accept_env: '' # SSHD | |
| # Set to true to enable SFTP configuration. | |
| sftp_enabled: false | |
| # Change default SFTP chroot location. | |
| sftp_chroot_dir: /home/%u | |
| # Enable experimental client roaming. | |
| ssh_client_roaming: false | |
| use_privilege_separation: "sandbox" # SSHD | |
| ssh_macs_default: | |
| - hmac-sha2-512-etm@openssh.com | |
| - hmac-sha2-256-etm@openssh.com | |
| - hmac-ripemd160-etm@openssh.com | |
| - umac-128-etm@openssh.com | |
| - hmac-sha2-512 | |
| - hmac-sha2-256 | |
| - hmac-ripemd160 | |
| ssh_macs_weak: "{{ ssh_macs_default + ['umac-128@openssh.com','hmac-sha1'] }}" | |
| ssh_ciphers_default: | |
| - chacha20-poly1305@openssh.com | |
| - aes256-gcm@openssh.com | |
| - aes128-gcm@openssh.com | |
| - aes256-ctr | |
| - aes192-ctr | |
| - aes128-ctr | |
| ssh_ciphers_weak: "{{ ssh_ciphers_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}" | |
| ssh_kex_default: | |
| - curve25519-sha256@libssh.org | |
| - diffie-hellman-group-exchange-sha256 | |
| ssh_kex_weak: "{{ ssh_kex_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this specialized for your environment or can I run this as-is to harden ssh access on my trellis managed DO droplets (Ubuntu 16.04)