systems/infrastructure
1
Fork 0
Code Issues 1 Pull requests 17 Activity Actions

Harden SSH config

Browse source
This commit is contained in:
Jake Howard 2020-01-28 21:04:26 +00:00
parent 0dbeb64710
commit d61cb64c7e
Signed by: jake
GPG key ID: 57AFB45680EDD477
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
ansible/roles/ssh/files/sshd_config
View file

@ -30,8 +30,8 @@ AuthenticationMethods publickey
# Disable root SSH access # Disable root SSH access
PermitRootLogin no PermitRootLogin no
# Client timeout (5 minutes) # Client timeout
ClientAliveInterval 300 ClientAliveInterval 600
ClientAliveCountMax 0 ClientAliveCountMax 0
# Compression (only after authentication) # Compression (only after authentication)
@ -58,9 +58,9 @@ Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@opens
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman) # Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients # DH-SHA-256 included for compat with PuTTY-WinCrypt clients
KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256@libssh.org KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
# Don’t read the user’s ~/.rhosts and ~/.shosts files # Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes IgnoreRhosts yes
# Disable unused authentication schemes # Disable unused authentication schemes
@ -74,7 +74,7 @@ UsePAM no
# X11 support # X11 support
X11Forwarding no X11Forwarding no
# Don’t show Message of the Day # Don't show Message of the Day
PrintMotd yes PrintMotd yes
# TCPKeepAlive (non-tunneled, disabled) # TCPKeepAlive (non-tunneled, disabled)