diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 155e2a83..a3675aad 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -1,102 +1,4 @@ -# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to -# be more clear and if they are missed some day, just download -# upstream config file or take it from any distribution. - -# Partially based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH -# where some comments are took. Some options look like I don't want to -# change them to get updates when defaults change. - -# Allow the client to send needed environment variables. I don't like -# setting wildcards and LC_ALL is disabled on purpouse. -AcceptEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ - -# IPv4 & IPv6 -AddressFamily any - -# Password based logins are disabled - only public key based logins are -# allowed. -AuthenticationMethods publickey - -# The default is to check both .ssh/authorized_keys and -# .ssh/authorized_keys2 but this is overridden so installations will only -# check .ssh/authorized_keys. -AuthorizedKeysFile .ssh/authorized_keys - -# File to send to client before authentication. -Banner /etc/issue.net - -# Disable s/key passwords. -ChallengeResponseAuthentication no - -# If the client doesn't reply in three "pings", connection is dead. -# Defaults to 3 anyway, but I add it here for clearity and -# in case it decides to change in the future. -ClientAliveCountMax 3 - -# "ping" the client every minute. -ClientAliveInterval 60 - -# HostKeys for protocol version 2. -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key - -## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: -# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key - -# Listen on the following TCP ports, default 22. -# /etc/ssh/sshd_config ...: ports must be specified before ListenAddress. -Port 22 - -# Listen on all IPv4 & IPv6 addresses. -ListenAddress 0.0.0.0 -ListenAddress :: - -# Use the internal SFTP to avoid having to find the external one. VERBOSE -# logs transactions that sftp-server performs on behalf of the client. -# See also http://serverfault.com/a/660325 -Subsystem sftp internal-sftp -l VERBOSE -# If you wish to use the external one, uncomment the appropiate one -# for your OS or find it somewhere. -## Arch -#Subsystem sftp /usr/lib/ssh/sftp-server -l VERBOSE -## Debian -#Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -## Fedora (21) -#Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE -## Gentoo (/usr/lib is a symlink) -#Subsystem sftp /usr/lib/misc/sftp-server -l VERBOSE - -# VERBOSE logging, logs user's key fingerprint on login. Needed to have a -# clear audit track of which key was using to log in. -LogLevel VERBOSE - -# Disable tunneled clear text passwords! -PasswordAuthentication no - -# Auditing reasons, difficult to track which process belongs to which root -# user. -PermitRootLogin no - -# Print /etc/motd (or /etc/profile or equivalent) on login. It's already -# done by PAM, so no need for duplicate MOTDs. -PrintMotd no - -# Avoid enabling insecure protocol 1. -Protocol 2 - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -# Use kernel sandbox mechanisms where possible in unprivilegied processes. -# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, -# rlimit elsewhere. -UsePrivilegeSeparation sandbox +# Copied from Fedora 33 +# To modify the system-wide sshd configuration, create a *.conf file under +# /etc/ssh/sshd_config.d/ which will be automatically included below +Include /etc/ssh/sshd_config.d/*.conf diff --git a/etc/ssh/sshd_config.d/acceptenv.conf b/etc/ssh/sshd_config.d/acceptenv.conf new file mode 100644 index 00000000..e20ababa --- /dev/null +++ b/etc/ssh/sshd_config.d/acceptenv.conf @@ -0,0 +1,3 @@ +# Allow the client to send needed environment variables. I don't like +# setting wildcards and LC_ALL is disabled on purpose. +AcceptEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ diff --git a/etc/ssh/sshd_config.d/basic-security.conf b/etc/ssh/sshd_config.d/basic-security.conf index 6455a05a..467e61c6 100644 --- a/etc/ssh/sshd_config.d/basic-security.conf +++ b/etc/ssh/sshd_config.d/basic-security.conf @@ -1,4 +1,7 @@ # RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious +# Missing keys? +# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key +# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key @@ -11,8 +14,11 @@ PermitRootLogin no PasswordAuthentication no AuthenticationMethods publickey -# Doesn't exist in Fedora +# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. +# Debian #Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO +# Fedora +#Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO # Use kernel sandbox mechanisms where possible in unprivileged processes UsePrivilegeSeparation sandbox diff --git a/etc/ssh/sshd_config.d/clientaliveinterval.conf b/etc/ssh/sshd_config.d/clientaliveinterval.conf new file mode 100644 index 00000000..e1bb3a25 --- /dev/null +++ b/etc/ssh/sshd_config.d/clientaliveinterval.conf @@ -0,0 +1,3 @@ +# Checking that client is alive if no traffic is transmitted in a minute. +# If it fails ClientAliveCountMax (3) times, client is disconnected. +ClientAliveInterval 60