70 lines
1.4 KiB
Django/Jinja
70 lines
1.4 KiB
Django/Jinja
# Hardened SSH Configuration
|
|
# Protocol version
|
|
Protocol 2
|
|
|
|
# Address family
|
|
AddressFamily inet
|
|
|
|
# Supported authentication methods
|
|
AuthenticationMethods publickey
|
|
|
|
# Authentication
|
|
PermitRootLogin no
|
|
MaxAuthTries 3
|
|
MaxSessions 2
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
ChallengeResponseAuthentication no
|
|
KerberosAuthentication no
|
|
GSSAPIAuthentication no
|
|
UsePAM yes
|
|
{% if ssh_authorized_keys_fallback_enabled %}
|
|
AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
|
|
{% else %}
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
{% endif %}
|
|
|
|
# Login timeout and grace period
|
|
LoginGraceTime 30s
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
MaxStartups 10:30:60
|
|
|
|
# Forwarding
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
PermitTTY yes
|
|
|
|
# User environment
|
|
PermitUserEnvironment no
|
|
|
|
# Logging and auditing
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
|
|
# Banner
|
|
Banner /etc/ssh/banner
|
|
|
|
# SFTP
|
|
Subsystem sftp internal-sftp
|
|
|
|
# Idle timeout (1 hour)
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 12
|
|
|
|
# Restrict access to specific users/groups (customize as needed)
|
|
AllowUsers {{ ssh_users }}
|
|
# AllowGroups sshusers wheel
|
|
|
|
# Other security settings
|
|
HostbasedAuthentication no
|
|
IgnoreRhosts yes
|
|
PermitUserRC no
|
|
StrictModes yes
|
|
Compression no
|
|
{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
|
|
UsePrivilegeSeparation sandbox
|
|
{% endif %}
|