etc/ssh: cut sshd_config into multiple .confs

2021-01-30 21:31:38 +02:00 · 2021-01-30 21:31:38 +02:00 · 0572613d99
parent c5fa3daf29
commit 0572613d99
4 changed files with 17 additions and 103 deletions
--- a/etc/ssh/sshd_config
+++ b/etc/ssh/sshd_config
@ -1,102 +1,4 @@
-# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to
-# be more clear and if they are missed some day, just download
-# upstream config file or take it from any distribution.
-
-# Partially based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
-# where some comments are took. Some options look like I don't want to
-# change them to get updates when defaults change.
-
-# Allow the client to send needed environment variables. I don't like
-# setting wildcards and LC_ALL is disabled on purpouse.
-AcceptEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ
-
-# IPv4 & IPv6
-AddressFamily any
-
-# Password based logins are disabled - only public key based logins are
-# allowed.
-AuthenticationMethods publickey
-
-# The default is to check both .ssh/authorized_keys and
-# .ssh/authorized_keys2 but this is overridden so installations will only
-# check .ssh/authorized_keys.
-AuthorizedKeysFile  .ssh/authorized_keys
-
-# File to send to client before authentication.
-Banner /etc/issue.net
-
-# Disable s/key passwords.
-ChallengeResponseAuthentication no
-
-# If the client doesn't reply in three "pings", connection is dead.
-# Defaults to 3 anyway, but I add it here for clearity and
-# in case it decides to change in the future.
-ClientAliveCountMax 3
-
-# "ping" the client every minute.
-ClientAliveInterval 60
-
-# HostKeys for protocol version 2.
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostKey /etc/ssh/ssh_host_rsa_key
-
-## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT:
-# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
-# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
-
-# Listen on the following TCP ports, default 22.
-# /etc/ssh/sshd_config ...: ports must be specified before ListenAddress.
-Port 22
-
-# Listen on all IPv4 & IPv6 addresses.
-ListenAddress 0.0.0.0
-ListenAddress ::
-
-# Use the internal SFTP to avoid having to find the external one. VERBOSE
-# logs transactions that sftp-server performs on behalf of the client.
-# See also http://serverfault.com/a/660325
-Subsystem sftp internal-sftp -l VERBOSE
-# If you wish to use the external one, uncomment the appropiate one
-# for your OS or find it somewhere.
-## Arch
-#Subsystem   sftp    /usr/lib/ssh/sftp-server -l VERBOSE
-## Debian
-#Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE
-## Fedora (21)
-#Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE
-## Gentoo (/usr/lib is a symlink)
-#Subsystem sftp /usr/lib/misc/sftp-server -l VERBOSE
-
-# VERBOSE logging, logs user's key fingerprint on login. Needed to have a
-# clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Disable tunneled clear text passwords!
-PasswordAuthentication no
-
-# Auditing reasons, difficult to track which process belongs to which root
-# user.
-PermitRootLogin no
-
-# Print /etc/motd (or /etc/profile or equivalent) on login. It's already
-# done by PAM, so no need for duplicate MOTDs.
-PrintMotd no
-
-# Avoid enabling insecure protocol 1.
-Protocol 2
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-# Use kernel sandbox mechanisms where possible in unprivilegied processes.
-# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin,
-# rlimit elsewhere.
-UsePrivilegeSeparation sandbox
+# Copied from Fedora 33
+# To modify the system-wide sshd configuration, create a  *.conf  file under
+#  /etc/ssh/sshd_config.d/  which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
--- a/etc/ssh/sshd_config.d/acceptenv.conf
+++ b/etc/ssh/sshd_config.d/acceptenv.conf
@ -0,0 +1,3 @@
+# Allow the client to send needed environment variables. I don't like
+# setting wildcards and LC_ALL is disabled on purpose.
+AcceptEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ
--- a/etc/ssh/sshd_config.d/basic-security.conf
+++ b/etc/ssh/sshd_config.d/basic-security.conf
@ -1,4 +1,7 @@
 # RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious
+# Missing keys?
+# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
+# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key

@ -11,8 +14,11 @@ PermitRootLogin no
 PasswordAuthentication no
 AuthenticationMethods publickey

-# Doesn't exist in Fedora
+# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
+# Debian
 #Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+# Fedora
+#Subsystem sftp  /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO

 # Use kernel sandbox mechanisms where possible in unprivileged processes
 UsePrivilegeSeparation sandbox
--- a/etc/ssh/sshd_config.d/clientaliveinterval.conf
+++ b/etc/ssh/sshd_config.d/clientaliveinterval.conf
@ -0,0 +1,3 @@
+# Checking that client is alive if no traffic is transmitted in a minute.
+# If it fails ClientAliveCountMax (3) times, client is disconnected.
+ClientAliveInterval 60