1 files changed, 0 insertions, 101 deletions
diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config
deleted file mode 100644
index fbe71c6..0000000
--- a/ssh-bastion/etc/ssh/sshd_config
+++ /dev/null
@@ -1,101 +0,0 @@
-# vim:set ft=sshdconfig
-HostKey /srv/ssh/hostkeys/rsa_key
-HostKey /srv/ssh/hostkeys/ed25519_key
-# By default SSH attempts to chdir to the logged-in user's home directory. The
-# vast majority of users won't have a home directory on the machine, so
-# suppress the warning with a chroot.
-ChrootDirectory /
-# No users will have home directories and all configs are under control of the
-# admin who mounts them from outside of this docker container so there is no
-# need to check modes and in-fact enabling this will cause failures.
-StrictModes no
-Protocol 2
-# Bind a port above 1024 so we can run ssh as an unpriviledged user
-Port 4321
-SyslogFacility AUTH
-LogLevel INFO
-PidFile /var/run/sshd.pid
-PubkeyAuthentication yes
-HostbasedAuthentication no
-IgnoreRhosts yes
-PasswordAuthentication no
-PermitEmptyPasswords no
-AuthorizedKeysFile /srv/ssh/users/%u/ssh
-UsePAM yes
-PermitRootLogin no
-ChallengeResponseAuthentication yes
-AuthenticationMethods publickey,keyboard-interactive:pam
-# Limit the number of authentication attemps per connection. SSH will log
-# failues once attempts reach half this number so this should also log all
-# authentication failures as well.
-PermitTTY no
-MaxAuthTries 2
-ForceCommand /usr/bin/nologin
-# This turns off reverse lookups of the originating host which hang sshd on DNS
-# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys
-# files which must be converted to dotted quad ip addrs.
-UseDNS no
-# By default SSH doesn't accept any environment variables from the client.  But
-# we use this specific variable to pass robot user authentication tokens into
-# the system.
-AcceptEnv LANG LC_*
-# Disconnect after this period of time if the user hasn't provided a correct
-# password.
-LoginGraceTime 120
-# Disconnect dead sessions after 30 minutes of inactivity. The server will send
-# a keepalive every minutes and tolerate up to 30 failures before terminating
-# the session.
-ClientAliveInterval 60
-ClientAliveCountMax 30
-# Don't use TCP keepalives to prevent connections from dying when a temporary
-# routing issue occurs.
-TCPKeepAlive no
-# Allow up to 100 simultaneous unauthenticated connections.  Any connections
-# beyond that limit will be dropped.
-MaxStartups 100
-# The maxiumum number of sessions which can be served on one multi-plexing
-# connection. ssh does not fail gracefully when this number is exceeded, so we
-# keep it high.
-MaxSessions 100
-X11Forwarding no
-PrintMotd no
-# Used hardened crypto algorithms
-#
-# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# And also: https://access.redhat.com/discussions/3121481
-# And also: https://infosec.mozilla.org/guidelines/openssh
-# Validated by: https://sshcheck.com/
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
-# These may be needed for older ssh clients but use SHA1 so are discouraged
-#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
-# Enable gateway ports for phone-home bastions so that administrators can
-# connect back to the forwarded ports without needing ssh access to the bastion
-# host itself. Also locks down what can be forwarded and to where.
-Match user phonehome
-    GatewayPorts yes
-    AuthenticationMethods publickey
-    AllowTcpForwarding remote
-    PermitOpen none
-Match all

diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config deleted file mode 100644 index fbe71c6..0000000 --- a/ssh-bastion/etc/ssh/sshd_config +++ /dev/null
@@ -1,101 +0,0 @@
1	# vim:set ft=sshdconfig
2
3	HostKey /srv/ssh/hostkeys/rsa_key
4	HostKey /srv/ssh/hostkeys/ed25519_key
5
6	# By default SSH attempts to chdir to the logged-in user's home directory. The
7	# vast majority of users won't have a home directory on the machine, so
8	# suppress the warning with a chroot.
9	ChrootDirectory /
10
11	# No users will have home directories and all configs are under control of the
12	# admin who mounts them from outside of this docker container so there is no
13	# need to check modes and in-fact enabling this will cause failures.
14	StrictModes no
15
16	Protocol 2
17
18	# Bind a port above 1024 so we can run ssh as an unpriviledged user
19	Port 4321
20
21	SyslogFacility AUTH
22	LogLevel INFO
23	PidFile /var/run/sshd.pid
24
25	PubkeyAuthentication yes
26	HostbasedAuthentication no
27	IgnoreRhosts yes
28	PasswordAuthentication no
29	PermitEmptyPasswords no
30	AuthorizedKeysFile /srv/ssh/users/%u/ssh
31
32	UsePAM yes
33	PermitRootLogin no
34	ChallengeResponseAuthentication yes
35	AuthenticationMethods publickey,keyboard-interactive:pam
36
37	# Limit the number of authentication attemps per connection. SSH will log
38	# failues once attempts reach half this number so this should also log all
39	# authentication failures as well.
40	PermitTTY no
41	MaxAuthTries 2
42	ForceCommand /usr/bin/nologin
43
44	# This turns off reverse lookups of the originating host which hang sshd on DNS
45	# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys
46	# files which must be converted to dotted quad ip addrs.
47	UseDNS no
48
49	# By default SSH doesn't accept any environment variables from the client. But
50	# we use this specific variable to pass robot user authentication tokens into
51	# the system.
52	AcceptEnv LANG LC_*
53
54	# Disconnect after this period of time if the user hasn't provided a correct
55	# password.
56	LoginGraceTime 120
57
58	# Disconnect dead sessions after 30 minutes of inactivity. The server will send
59	# a keepalive every minutes and tolerate up to 30 failures before terminating
60	# the session.
61	ClientAliveInterval 60
62	ClientAliveCountMax 30
63
64	# Don't use TCP keepalives to prevent connections from dying when a temporary
65	# routing issue occurs.
66	TCPKeepAlive no
67
68	# Allow up to 100 simultaneous unauthenticated connections. Any connections
69	# beyond that limit will be dropped.
70	MaxStartups 100
71
72	# The maxiumum number of sessions which can be served on one multi-plexing
73	# connection. ssh does not fail gracefully when this number is exceeded, so we
74	# keep it high.
75	MaxSessions 100
76
77	X11Forwarding no
78	PrintMotd no
79
80	# Used hardened crypto algorithms
81	#
82	# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
83	# And also: https://access.redhat.com/discussions/3121481
84	# And also: https://infosec.mozilla.org/guidelines/openssh
85	# Validated by: https://sshcheck.com/
86	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
87	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
88	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
89	HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
90	# These may be needed for older ssh clients but use SHA1 so are discouraged
91	#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
92
93	# Enable gateway ports for phone-home bastions so that administrators can
94	# connect back to the forwarded ports without needing ssh access to the bastion
95	# host itself. Also locks down what can be forwarded and to where.
96	Match user phonehome
97	GatewayPorts yes
98	AuthenticationMethods publickey
99	AllowTcpForwarding remote
100	PermitOpen none
101	Match all