diff options
author | Mike Crute <mike@crute.us> | 2018-11-24 17:50:17 +0000 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2018-11-24 17:50:17 +0000 |
commit | 8317d24796a41b0f27ae4132e25bde0b7b57eb96 (patch) | |
tree | ee370a17d60fb52fa6e5c5c8d2a669dda4f64840 /ssh-bastion | |
parent | 7bb05ebac64ee0dacc2f60e913fb4398ce92c30e (diff) | |
download | dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.tar.bz2 dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.tar.xz dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.zip |
Harden ssh settings
Diffstat (limited to 'ssh-bastion')
-rw-r--r-- | ssh-bastion/etc/ssh/sshd_config | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config index 29594c7..b15777d 100644 --- a/ssh-bastion/etc/ssh/sshd_config +++ b/ssh-bastion/etc/ssh/sshd_config | |||
@@ -81,9 +81,13 @@ PrintMotd no | |||
81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | 81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html |
82 | # And also: https://access.redhat.com/discussions/3121481 | 82 | # And also: https://access.redhat.com/discussions/3121481 |
83 | # And also: https://infosec.mozilla.org/guidelines/openssh | 83 | # And also: https://infosec.mozilla.org/guidelines/openssh |
84 | # Validated by: https://sshcheck.com/ | ||
84 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | 85 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
85 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | 86 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
86 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | 87 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
88 | HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com | ||
89 | # These may be needed for older ssh clients but use SHA1 so are discouraged | ||
90 | #HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com | ||
87 | 91 | ||
88 | # Enable gateway ports for phone-home bastions so that administrators can | 92 | # Enable gateway ports for phone-home bastions so that administrators can |
89 | # connect back to the forwarded ports without needing ssh access to the bastion | 93 | # connect back to the forwarded ports without needing ssh access to the bastion |