-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathopensshd.conf.erb
259 lines (213 loc) · 9.81 KB
/
opensshd.conf.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
<% node['ssh-hardening']['config_disclaimer'].to_s.split("\n").each do |l| %>
# <%= l %>
<% end %>
#---
# This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#
# Created for OpenSSH v5.9 up to 6.8
# Basic configuration
# ===================
# Either disable or only allow root login via certificates.
<% if @node['ssh-hardening']['ssh']['server']['allow_root_with_key'] %>
PermitRootLogin without-password
<% else %>
PermitRootLogin no
<% end %>
# Define which port sshd should listen to. Default to `22`.
<% Array(@node['ssh-hardening']['ssh']['ports']).each do |ssh_port| %>
Port <%= ssh_port %>
<% end %>
# Address family should always be limited to the active network configuration.
AddressFamily <%= ((@node['ssh-hardening']['network']['ipv6']['enable']) ? "any" : "inet" ) %>
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
<% Array(@node['ssh-hardening']['ssh']['server']['listen_to']).each do |ssh_ip| %>
ListenAddress <%= ssh_ip %>
<% end %>
# List HostKeys here.
<% @hostkeys.each do |host_key_file| %>
HostKey <%= host_key_file %> # Req 20
<% end %>
# Security configuration
# ======================
# Set the protocol version to 2 for security reasons. Disables legacy support.
Protocol 2
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
StrictModes yes
# Logging, obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel <%= @node['ssh-hardening']['ssh']['server']['log_level'].upcase %>
# Cryptography
# ------------
# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
# CBC: is true if you want to connect with OpenSSL-base libraries
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
<% if @cipher %>
Ciphers <%= @cipher %>
<% end %>
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
# Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
#
<% if @mac %>
MACs <%= @mac %>
<% end %>
# Alternative setting, if OpenSSH version is below v5.9
#MACs hmac-ripemd160
# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
# Weak kex is sometimes required if older package versions are used
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
<% if @kex %>
KexAlgorithms <%= @kex %>
<% end %>
# Authentication
# --------------
# Secure Login directives.
<% if @version.to_f < 7.4 %>
UseLogin no
<% end %>
<% if @version.to_f < 7.5 %>
UsePrivilegeSeparation <%= @use_priv_sep %>
<% end %>
PermitUserEnvironment no
LoginGraceTime <%= @node['ssh-hardening']['ssh']['server']['login_grace_time'] %>
MaxAuthTries <%= @node['ssh-hardening']['ssh']['server']['max_auth_tries'] %>
MaxSessions <%= @node['ssh-hardening']['ssh']['server']['max_sessions'] %>
MaxStartups <%= @node['ssh-hardening']['ssh']['server']['max_startups'] %>
# Enable public key authentication
PubkeyAuthentication yes
<% if @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
# Customized authorized keys path
AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['authorized_keys_path'] %>
<% end %>
# Never use host-based authentication. It can be exploited.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no
# Enable PAM to enforce system wide rules
UsePAM <%= ((@node['ssh-hardening']['ssh']['server']['use_pam']) ? "yes" : "no" ) %>
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
<% passsword_auth = @node['ssh-hardening']['ssh']['server']['password_authentication'] || !!@node['ssh-hardening']['ssh']['password_authentication'] -%>
PasswordAuthentication <%= (passsword_auth ? "yes" : "no" ) %>
PermitEmptyPasswords no
ChallengeResponseAuthentication <%= (@node['ssh-hardening']['ssh']['server']['challenge_response_authentication'] ? "yes" : "no" ) %>
# Only enable Kerberos authentication if it is configured.
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
#KerberosGetAFSToken no
# Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
<% unless @node['ssh-hardening']['ssh']['server']['deny_users'].empty? %>
DenyUsers <%= @node['ssh-hardening']['ssh']['server']['deny_users'].join(' ') %>
<% else %>
#DenyUsers *
<% end %>
<% unless @node['ssh-hardening']['ssh']['server']['allow_users'].empty? %>
AllowUsers <%= @node['ssh-hardening']['ssh']['server']['allow_users'].join(' ') %>
<% else %>
#AllowUsers user1
<% end %>
<% unless @node['ssh-hardening']['ssh']['server']['deny_groups'].empty? %>
DenyGroups <%= @node['ssh-hardening']['ssh']['server']['deny_groups'].join(' ') %>
<% else %>
#DenyGroups *
<% end %>
<% unless @node['ssh-hardening']['ssh']['server']['allow_groups'].empty? %>
AllowGroups <%= @node['ssh-hardening']['ssh']['server']['allow_groups'].join(' ') %>
<% else %>
#AllowGroups group1
<% end %>
# Network
# -------
# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
TCPKeepAlive no
# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
ClientAliveInterval <%= @node['ssh-hardening']['ssh']['server']['client_alive_interval'] %>
ClientAliveCountMax <%= @node['ssh-hardening']['ssh']['server']['client_alive_count'] %>
# Disable tunneling
PermitTunnel <%= @permit_tunnel %>
# Disable forwarding tcp connections.
# no real advantage without denied shell access
AllowTcpForwarding <%= ((@node['ssh-hardening']['ssh']['server']['allow_tcp_forwarding']) ? 'yes' : 'no' ) %>
# Disable agent formwarding, since local agent could be accessed through forwarded connection.
# no real advantage without denied shell access
AllowAgentForwarding <%= ((@node['ssh-hardening']['ssh']['server']['allow_agent_forwarding']) ? 'yes' : 'no' ) %>
# Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
X11Forwarding <%= ((@node['ssh-hardening']['ssh']['server']['allow_x11_forwarding']) ? 'yes' : 'no' ) %>
X11UseLocalhost yes
# Misc. configuration
# ===================
PrintMotd <%= ((@node['ssh-hardening']['ssh']['server']['print_motd']) ? 'yes' : 'no' ) %>
PrintLastLog <%= ((@node['ssh-hardening']['ssh']['server']['print_last_log']) ? 'yes' : 'no' ) %>
Banner <%= @node['ssh-hardening']['ssh']['server']['banner'] ? @node['ssh-hardening']['ssh']['server']['banner'] : 'none' %>
<% if @node['platform_family'] == 'debian' %>
DebianBanner <%= @node['ssh-hardening']['ssh']['server']['os_banner'] ? 'yes' : 'no' %>
<% end %>
<% if @node['ssh-hardening']['ssh']['server']['use_dns'].nil? %>
# Since OpenSSH 6.8, this value defaults to 'no'
#UseDNS no
<% else %>
UseDNS <%= ((@node['ssh-hardening']['ssh']['server']['use_dns']) ? 'yes' : 'no' ) %>
<% end %>
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ChrootDirectory none
#ChrootDirectory /home/%u
<% unless @node['ssh-hardening']['ssh']['server']['accept_env'].empty? %>
# Accept locale environment variables
AcceptEnv <%= @node['ssh-hardening']['ssh']['server']['accept_env'].join(' ') %>
<% end %>
<%- unless @node['ssh-hardening']['ssh']['server']['extras'].empty? %>
# Extra Configuration Options
<%- @node['ssh-hardening']['ssh']['server']['extras'].each do |key, value| %>
<%= key %> <%= value %>
<% end -%>
<% end -%>
<% if @node['ssh-hardening']['ssh']['server']['sftp']['enable'] %>
# Configuration, in case SFTP is used
## override default of no subsystems
## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
Subsystem sftp internal-sftp -l <%= @node['ssh-hardening']['ssh']['server']['sftp']['log_level'] %>
## These lines must appear at the *end* of sshd_config
Match Group <%= @node['ssh-hardening']['ssh']['server']['sftp']['group'] %>
ForceCommand internal-sftp -l <%= @node['ssh-hardening']['ssh']['server']['sftp']['log_level'] %>
ChrootDirectory <%= @node['ssh-hardening']['ssh']['server']['sftp']['chroot'] %>
<% if @node['ssh-hardening']['ssh']['server']['sftp']['authorized_keys_path'] %>
AuthorizedKeysFile <%= @node['ssh-hardening']['ssh']['server']['sftp']['authorized_keys_path'] %>
<% end %>
AllowTcpForwarding no
AllowAgentForwarding no
PasswordAuthentication <%= ((@node['ssh-hardening']['ssh']['server']['sftp']['password_authentication']) ? 'yes' : 'no' ) %>
PermitRootLogin no
X11Forwarding no
<% else %>
# Configuration, in case SFTP is used
## override default of no subsystems
## Subsystem sftp /opt/app/openssh5/libexec/sftp-server
#Subsystem sftp internal-sftp -l VERBOSE
#
## These lines must appear at the *end* of sshd_config
#Match Group sftponly
#ForceCommand internal-sftp -l VERBOSE
#ChrootDirectory /sftpchroot/home/%u
#AuthorizedKeysFile /sftpchroot/home/%u/.ssh/authorized_keys
#AllowTcpForwarding no
#AllowAgentForwarding no
#PasswordAuthentication no
#PermitRootLogin no
#X11Forwarding no
<% end %>
<%- unless @node['ssh-hardening']['ssh']['server']['match_blocks'].empty? %>
# Match Configuration Blocks
<%- @node['ssh-hardening']['ssh']['server']['match_blocks'].each do |key, value| %>
Match <%= key %>
<%= value.split("\n").join("\n ") %>
<% end -%>
<% end -%>