diff options
author | Mike Crute <mcrute@gmail.com> | 2017-01-25 05:10:21 +0000 |
---|---|---|
committer | Mike Crute <mcrute@gmail.com> | 2017-01-25 05:10:21 +0000 |
commit | 36c74ae68f977335477fefd6d56058fbbce5c14d (patch) | |
tree | 155c1a838a62f3b8b7e9f2dd565c5a0da0242a4a /ssh-bastion | |
parent | 23f411a3cbed26f6f57299596657c2bc56f54256 (diff) | |
download | dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.bz2 dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.tar.xz dockerfiles-36c74ae68f977335477fefd6d56058fbbce5c14d.zip |
Hardening and support phone-home users
Diffstat (limited to 'ssh-bastion')
-rw-r--r-- | ssh-bastion/etc/sshd_config | 40 |
1 files changed, 30 insertions, 10 deletions
diff --git a/ssh-bastion/etc/sshd_config b/ssh-bastion/etc/sshd_config index dd65731..3177765 100644 --- a/ssh-bastion/etc/sshd_config +++ b/ssh-bastion/etc/sshd_config | |||
@@ -1,7 +1,6 @@ | |||
1 | # vim:set ft=sshdconfig | 1 | # vim:set ft=sshdconfig |
2 | 2 | ||
3 | HostKey /srv/ssh/hostkeys/rsa_key | 3 | HostKey /srv/ssh/hostkeys/rsa_key |
4 | HostKey /srv/ssh/hostkeys/ecdsa_key | ||
5 | HostKey /srv/ssh/hostkeys/ed25519_key | 4 | HostKey /srv/ssh/hostkeys/ed25519_key |
6 | 5 | ||
7 | # By default SSH attempts to chdir to the logged-in user's home directory. The | 6 | # By default SSH attempts to chdir to the logged-in user's home directory. The |
@@ -14,18 +13,11 @@ Protocol 2 | |||
14 | # Bind a port above 1024 so we can run ssh as an unpriviledged user | 13 | # Bind a port above 1024 so we can run ssh as an unpriviledged user |
15 | Port 4321 | 14 | Port 4321 |
16 | 15 | ||
17 | PermitTTY no | ||
18 | #ForceCommand /bin/false | ||
19 | |||
20 | SyslogFacility AUTH | 16 | SyslogFacility AUTH |
21 | LogLevel INFO | 17 | LogLevel INFO |
22 | PrintLastLog yes | 18 | PrintLastLog yes |
23 | |||
24 | PidFile /var/run/sshd.pid | ||
25 | |||
26 | StrictModes yes | 19 | StrictModes yes |
27 | 20 | PidFile /var/run/sshd.pid | |
28 | AuthorizedKeysFile /srv/ssh/users/%u/ssh | ||
29 | 21 | ||
30 | PubkeyAuthentication yes | 22 | PubkeyAuthentication yes |
31 | HostbasedAuthentication no | 23 | HostbasedAuthentication no |
@@ -33,6 +25,7 @@ IgnoreRhosts yes | |||
33 | PasswordAuthentication no | 25 | PasswordAuthentication no |
34 | PermitEmptyPasswords no | 26 | PermitEmptyPasswords no |
35 | RhostsRSAAuthentication no | 27 | RhostsRSAAuthentication no |
28 | AuthorizedKeysFile /srv/ssh/users/%u/ssh | ||
36 | 29 | ||
37 | UsePAM yes | 30 | UsePAM yes |
38 | UseLogin no | 31 | UseLogin no |
@@ -40,13 +33,24 @@ PermitRootLogin no | |||
40 | ChallengeResponseAuthentication yes | 33 | ChallengeResponseAuthentication yes |
41 | AuthenticationMethods publickey,keyboard-interactive:pam | 34 | AuthenticationMethods publickey,keyboard-interactive:pam |
42 | 35 | ||
36 | # Limit the number of authentication attemps per connection. SSH will log | ||
37 | # failues once attempts reach half this number so this should also log all | ||
38 | # authentication failures as well. | ||
39 | PermitTTY no | ||
40 | MaxAuthTries 2 | ||
41 | ForceCommand /usr/bin/nologin | ||
42 | |||
43 | # Disable all interactive sessions. Users will still be allowed to jump through | ||
44 | # the host but not be allowed to login or run any commands. | ||
45 | MaxSessions 0 | ||
46 | |||
43 | # Use an unprivileged child process to accept connections and | 47 | # Use an unprivileged child process to accept connections and |
44 | # authenticate the user before spinning up another process as | 48 | # authenticate the user before spinning up another process as |
45 | # the user. | 49 | # the user. |
46 | UsePrivilegeSeparation yes | 50 | UsePrivilegeSeparation yes |
47 | 51 | ||
48 | # This turns off reverse lookups of the originating host which hang sshd | 52 | # This turns off reverse lookups of the originating host which hang sshd |
49 | # on DNS timeouts when DNS is down. This also breaks "from=" lines in | 53 | # on DNS timeouts when DNS is down. This also breaks "from=" lines in |
50 | # authorizd_keys files which must be converted to dotted quad ip addrs. | 54 | # authorizd_keys files which must be converted to dotted quad ip addrs. |
51 | UseDNS no | 55 | UseDNS no |
52 | 56 | ||
@@ -76,3 +80,19 @@ MaxSessions 100 | |||
76 | 80 | ||
77 | X11Forwarding no | 81 | X11Forwarding no |
78 | PrintMotd no | 82 | PrintMotd no |
83 | |||
84 | # Used hardened crypto algorithms | ||
85 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | ||
86 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
87 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
88 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com | ||
89 | |||
90 | # Enable gateway ports for phone-home bastions so that administrators can | ||
91 | # connect back to the forwarded ports without needing ssh access to the bastion | ||
92 | # host itself. Also locks down what can be forwarded and to where. | ||
93 | Match user phonehome | ||
94 | GatewayPorts yes | ||
95 | AuthenticationMethods publickey | ||
96 | AllowTcpForwarding remote | ||
97 | PermitOpen none | ||
98 | Match all | ||