1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# vim:set ft=sshdconfig
HostKey /srv/ssh/hostkeys/rsa_key
HostKey /srv/ssh/hostkeys/ed25519_key
# By default SSH attempts to chdir to the logged-in user's home directory. The
# vast majority of users won't have a home directory on the machine, so
# suppress the warning with a chroot.
ChrootDirectory /
# No users will have home directories and all configs are under control of the
# admin who mounts them from outside of this docker container so there is no
# need to check modes and in-fact enabling this will cause failures.
StrictModes no
Protocol 2
# Bind a port above 1024 so we can run ssh as an unpriviledged user
Port 4321
SyslogFacility AUTH
LogLevel INFO
PidFile /var/run/sshd.pid
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
AuthorizedKeysFile /srv/ssh/users/%u/ssh
UsePAM yes
PermitRootLogin no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive:pam
# Limit the number of authentication attemps per connection. SSH will log
# failues once attempts reach half this number so this should also log all
# authentication failures as well.
PermitTTY no
MaxAuthTries 2
ForceCommand /usr/bin/nologin
# This turns off reverse lookups of the originating host which hang sshd on DNS
# timeouts when DNS is down. This also breaks "from=" lines in authorizd_keys
# files which must be converted to dotted quad ip addrs.
UseDNS no
# By default SSH doesn't accept any environment variables from the client. But
# we use this specific variable to pass robot user authentication tokens into
# the system.
AcceptEnv LANG LC_*
# Disconnect after this period of time if the user hasn't provided a correct
# password.
LoginGraceTime 120
# Disconnect dead sessions after 30 minutes of inactivity. The server will send
# a keepalive every minutes and tolerate up to 30 failures before terminating
# the session.
ClientAliveInterval 60
ClientAliveCountMax 30
# Don't use TCP keepalives to prevent connections from dying when a temporary
# routing issue occurs.
TCPKeepAlive no
# Allow up to 100 simultaneous unauthenticated connections. Any connections
# beyond that limit will be dropped.
MaxStartups 100
# The maxiumum number of sessions which can be served on one multi-plexing
# connection. ssh does not fail gracefully when this number is exceeded, so we
# keep it high.
MaxSessions 100
X11Forwarding no
PrintMotd no
# Used hardened crypto algorithms
#
# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# And also: https://access.redhat.com/discussions/3121481
# And also: https://infosec.mozilla.org/guidelines/openssh
# Validated by: https://sshcheck.com/
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
# These may be needed for older ssh clients but use SHA1 so are discouraged
#HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com
# Enable gateway ports for phone-home bastions so that administrators can
# connect back to the forwarded ports without needing ssh access to the bastion
# host itself. Also locks down what can be forwarded and to where.
Match user phonehome
GatewayPorts yes
AuthenticationMethods publickey
AllowTcpForwarding remote
PermitOpen none
Match all
|
