Created
May 8, 2017 21:01
-
-
Save euank/0cd36fff918e84224a95b1bc86b6b4f0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
storage: | |
files: | |
- filesystem: root | |
mode: 420 | |
path: /etc/ssh/sshd_config | |
contents: | |
inline: |- | |
# From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 | |
# Supported HostKey algorithms by order of preference. | |
HostKey /etc/ssh/ssh_host_ed25519_key | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | |
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
# Password based logins are disabled - only public key based logins are allowed. | |
AuthenticationMethods publickey | |
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | |
LogLevel VERBOSE | |
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO | |
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: | |
# | |
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. | |
# Additionally, only tools such as systemd and auditd record the process session id. | |
# On other OSes, the user session id is not necessarily recorded at all kernel-side. | |
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. | |
PermitRootLogin No | |
# Use kernel sandbox mechanisms where possible in unprivilegied processes | |
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. | |
UsePrivilegeSeparation sandbox | |
Port 222 | |
AllowUsers core | |
systemd: | |
units: | |
- name: sshd.socket | |
mask: true | |
- name: sshd.service | |
enable: true | |
contents: |- | |
[Unit] | |
Description=OpenSSH server | |
[Service] | |
ExecStart=/usr/sbin/sshd -D -e | |
ExecReload=/bin/kill -HUP $MAINPID | |
Restart=on-failure | |
RestartSec=30s | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment