diff options
| author | Mike Crute <mike@crute.us> | 2018-11-24 17:50:17 +0000 |
|---|---|---|
| committer | Mike Crute <mike@crute.us> | 2018-11-24 17:50:17 +0000 |
| commit | 8317d24796a41b0f27ae4132e25bde0b7b57eb96 (patch) | |
| tree | ee370a17d60fb52fa6e5c5c8d2a669dda4f64840 /ssh-bastion | |
| parent | 7bb05ebac64ee0dacc2f60e913fb4398ce92c30e (diff) | |
| download | dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.tar.bz2 dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.tar.xz dockerfiles-8317d24796a41b0f27ae4132e25bde0b7b57eb96.zip | |
Harden ssh settings
Diffstat (limited to 'ssh-bastion')
| -rw-r--r-- | ssh-bastion/etc/ssh/sshd_config | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config index 29594c7..b15777d 100644 --- a/ssh-bastion/etc/ssh/sshd_config +++ b/ssh-bastion/etc/ssh/sshd_config | |||
| @@ -81,9 +81,13 @@ PrintMotd no | |||
| 81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | 81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html |
| 82 | # And also: https://access.redhat.com/discussions/3121481 | 82 | # And also: https://access.redhat.com/discussions/3121481 |
| 83 | # And also: https://infosec.mozilla.org/guidelines/openssh | 83 | # And also: https://infosec.mozilla.org/guidelines/openssh |
| 84 | # Validated by: https://sshcheck.com/ | ||
| 84 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | 85 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
| 85 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | 86 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
| 86 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | 87 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
| 88 | HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com | ||
| 89 | # These may be needed for older ssh clients but use SHA1 so are discouraged | ||
| 90 | #HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com | ||
| 87 | 91 | ||
| 88 | # Enable gateway ports for phone-home bastions so that administrators can | 92 | # Enable gateway ports for phone-home bastions so that administrators can |
| 89 | # connect back to the forwarded ports without needing ssh access to the bastion | 93 | # connect back to the forwarded ports without needing ssh access to the bastion |