diff options
Diffstat (limited to 'ssh-bastion/etc/ssh/sshd_config')
-rw-r--r-- | ssh-bastion/etc/ssh/sshd_config | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config deleted file mode 100644 index fbe71c6..0000000 --- a/ssh-bastion/etc/ssh/sshd_config +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | # vim:set ft=sshdconfig | ||
2 | |||
3 | HostKey /srv/ssh/hostkeys/rsa_key | ||
4 | HostKey /srv/ssh/hostkeys/ed25519_key | ||
5 | |||
6 | # By default SSH attempts to chdir to the logged-in user's home directory. The | ||
7 | # vast majority of users won't have a home directory on the machine, so | ||
8 | # suppress the warning with a chroot. | ||
9 | ChrootDirectory / | ||
10 | |||
11 | # No users will have home directories and all configs are under control of the | ||
12 | # admin who mounts them from outside of this docker container so there is no | ||
13 | # need to check modes and in-fact enabling this will cause failures. | ||
14 | StrictModes no | ||
15 | |||
16 | Protocol 2 | ||
17 | |||
18 | # Bind a port above 1024 so we can run ssh as an unpriviledged user | ||
19 | Port 4321 | ||
20 | |||
21 | SyslogFacility AUTH | ||
22 | LogLevel INFO | ||
23 | PidFile /var/run/sshd.pid | ||
24 | |||
25 | PubkeyAuthentication yes | ||
26 | HostbasedAuthentication no | ||
27 | IgnoreRhosts yes | ||
28 | PasswordAuthentication no | ||
29 | PermitEmptyPasswords no | ||
30 | AuthorizedKeysFile /srv/ssh/users/%u/ssh | ||
31 | |||
32 | UsePAM yes | ||
33 | PermitRootLogin no | ||
34 | ChallengeResponseAuthentication yes | ||
35 | AuthenticationMethods publickey,keyboard-interactive:pam | ||
36 | |||
37 | # Limit the number of authentication attemps per connection. SSH will log | ||
38 | # failues once attempts reach half this number so this should also log all | ||
39 | # authentication failures as well. | ||
40 | PermitTTY no | ||
41 | MaxAuthTries 2 | ||
42 | ForceCommand /usr/bin/nologin | ||
43 | |||
44 | # This turns off reverse lookups of the originating host which hang sshd on DNS | ||
45 | # timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys | ||
46 | # files which must be converted to dotted quad ip addrs. | ||
47 | UseDNS no | ||
48 | |||
49 | # By default SSH doesn't accept any environment variables from the client. But | ||
50 | # we use this specific variable to pass robot user authentication tokens into | ||
51 | # the system. | ||
52 | AcceptEnv LANG LC_* | ||
53 | |||
54 | # Disconnect after this period of time if the user hasn't provided a correct | ||
55 | # password. | ||
56 | LoginGraceTime 120 | ||
57 | |||
58 | # Disconnect dead sessions after 30 minutes of inactivity. The server will send | ||
59 | # a keepalive every minutes and tolerate up to 30 failures before terminating | ||
60 | # the session. | ||
61 | ClientAliveInterval 60 | ||
62 | ClientAliveCountMax 30 | ||
63 | |||
64 | # Don't use TCP keepalives to prevent connections from dying when a temporary | ||
65 | # routing issue occurs. | ||
66 | TCPKeepAlive no | ||
67 | |||
68 | # Allow up to 100 simultaneous unauthenticated connections. Any connections | ||
69 | # beyond that limit will be dropped. | ||
70 | MaxStartups 100 | ||
71 | |||
72 | # The maxiumum number of sessions which can be served on one multi-plexing | ||
73 | # connection. ssh does not fail gracefully when this number is exceeded, so we | ||
74 | # keep it high. | ||
75 | MaxSessions 100 | ||
76 | |||
77 | X11Forwarding no | ||
78 | PrintMotd no | ||
79 | |||
80 | # Used hardened crypto algorithms | ||
81 | # | ||
82 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | ||
83 | # And also: https://access.redhat.com/discussions/3121481 | ||
84 | # And also: https://infosec.mozilla.org/guidelines/openssh | ||
85 | # Validated by: https://sshcheck.com/ | ||
86 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | ||
87 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | ||
88 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | ||
89 | HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com | ||
90 | # These may be needed for older ssh clients but use SHA1 so are discouraged | ||
91 | #HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com | ||
92 | |||
93 | # Enable gateway ports for phone-home bastions so that administrators can | ||
94 | # connect back to the forwarded ports without needing ssh access to the bastion | ||
95 | # host itself. Also locks down what can be forwarded and to where. | ||
96 | Match user phonehome | ||
97 | GatewayPorts yes | ||
98 | AuthenticationMethods publickey | ||
99 | AllowTcpForwarding remote | ||
100 | PermitOpen none | ||
101 | Match all | ||