Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3e3d7c6fa7'
${ noResults }
algo/roles/security/templates/sshd_config.j2

57 lines
2.0 KiB
Django/Jinja
Raw Blame History

Port 22
# ListenAddress ::
# ListenAddress 0.0.0.0
Protocol 2
# LogLevel VERBOSE logs user's key fingerprint on login.
# Needed to have a clear audit log of which keys were used to log in.
SyslogFacility AUTH
LogLevel VERBOSE
# Use kernel sandbox mechanisms where possible
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox
# Handy for keeping network connections alive
TCPKeepAlive yes
ClientAliveInterval 120
# Authentication
UsePAM yes
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
AcceptEnv LANG LC_*
# Turn off a lot of features
IgnoreRhosts yes
RhostsRSAAuthentication no
RSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDNS no
# Do not enable sftp
# If you DO enable it, use this line to log which files sftp users read/write
# Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
# This makes ansible faster
PrintMotd no
PrintLastLog yes
# Use only modern host keys
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Use only modern ciphers
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
# TODO: I haven't seen anyone review these yet
# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I haven't seen anyone review these yet
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
Reference in New Issue View Git Blame Copy Permalink