From 164d86761e6b2f6f9a69edc56a9699ed8daffd19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 8 Jan 2015 11:47:18 +0100 Subject: [PATCH] restrict ssh ciphers --- roles/container/tasks/ssh.yml | 4 ++-- roles/container/templates/ssh_config.j2 | 4 ++++ roles/container/templates/sshd_config.j2 | 9 +++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 roles/container/templates/ssh_config.j2 diff --git a/roles/container/tasks/ssh.yml b/roles/container/tasks/ssh.yml index 674354b..0a8d3da 100644 --- a/roles/container/tasks/ssh.yml +++ b/roles/container/tasks/ssh.yml @@ -2,8 +2,8 @@ pacman: name=openssh state=present - name: Write sshd_config template: src=sshd_config.j2 dest=/etc/ssh/sshd_config mode=0644 -- name: symlink /dev/pts/ptmx to /dev/ptmx for sshd pty - file: src=/dev/pts/ptmx dest=/dev/ptmx state=link +- name: Write ssh_config + template: src=ssh_config.j2 dest=/etc/ssh/ssh_config mode=0644 - name: create link-ptmx.service copy: src=link-ptmx.service dest=/etc/systemd/system/link-ptmx.service mode=0644 - name: enable link-ptmx.service diff --git a/roles/container/templates/ssh_config.j2 b/roles/container/templates/ssh_config.j2 new file mode 100644 index 0000000..0730872 --- /dev/null +++ b/roles/container/templates/ssh_config.j2 @@ -0,0 +1,4 @@ +Host * + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com diff --git a/roles/container/templates/sshd_config.j2 b/roles/container/templates/sshd_config.j2 index 50806c0..8969b98 100644 --- a/roles/container/templates/sshd_config.j2 +++ b/roles/container/templates/sshd_config.j2 @@ -4,9 +4,10 @@ Port 22 AuthorizedKeysCommand /usr/lib/openssh-ldap-helper/openssh-ldap-helper AuthorizedKeysCommandUser root {% else %} -AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys {% endif %} +PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no @@ -14,4 +15,8 @@ UsePAM yes PrintMotd no UsePrivilegeSeparation sandbox -Subsystem sftp /usr/lib/ssh/sftp-server +Subsystem sftp usr/lib/ssh/sftp-server + +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com