euank/sshd-non-socket.ign.clc

## sshd-non-socket.ign.clc
storage:
  files:
  - filesystem: root
    mode: 420
    path: /etc/ssh/sshd_config
    contents:
      inline: |-
        # From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
        # Supported HostKey algorithms by order of preference.
        HostKey /etc/ssh/ssh_host_ed25519_key
        HostKey /etc/ssh/ssh_host_rsa_key
        HostKey /etc/ssh/ssh_host_ecdsa_key

        KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

        # Password based logins are disabled - only public key based logins are allowed.
        AuthenticationMethods publickey

        # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
        LogLevel VERBOSE

        # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
        Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

        # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
        #
        # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
        # Additionally, only tools such as systemd and auditd record the process session id.
        # On other OSes, the user session id is not necessarily recorded at all kernel-side.
        # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
        PermitRootLogin No

        # Use kernel sandbox mechanisms where possible in unprivilegied processes
        # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
        UsePrivilegeSeparation sandbox
        Port 222
        AllowUsers core
systemd:
  units:
  - name: sshd.socket
    mask: true
  - name: sshd.service
    enable: true
    contents: |-
      [Unit]
      Description=OpenSSH server
      [Service]
      ExecStart=/usr/sbin/sshd -D -e
      ExecReload=/bin/kill -HUP $MAINPID
      Restart=on-failure
      RestartSec=30s
      [Install]
      WantedBy=multi-user.target
	storage:
	files:
	- filesystem: root
	mode: 420
	path: /etc/ssh/sshd_config
	contents:
	inline: \|-
	# From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
	# Supported HostKey algorithms by order of preference.
	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key

	KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

	# Password based logins are disabled - only public key based logins are allowed.
	AuthenticationMethods publickey

	# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
	LogLevel VERBOSE

	# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
	Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

	# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
	#
	# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
	# Additionally, only tools such as systemd and auditd record the process session id.
	# On other OSes, the user session id is not necessarily recorded at all kernel-side.
	# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
	PermitRootLogin No

	# Use kernel sandbox mechanisms where possible in unprivilegied processes
	# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
	UsePrivilegeSeparation sandbox
	Port 222
	AllowUsers core
	systemd:
	units:
	- name: sshd.socket
	mask: true
	- name: sshd.service
	enable: true
	contents: \|-
	[Unit]
	Description=OpenSSH server
	[Service]
	ExecStart=/usr/sbin/sshd -D -e
	ExecReload=/bin/kill -HUP $MAINPID
	Restart=on-failure
	RestartSec=30s
	[Install]
	WantedBy=multi-user.target