sshd_config.d: read Mozilla docs & adjust accordingly

https://infosec.mozilla.org/guidelines/openssh
This commit is contained in:
Aminda Suomalainen 2021-01-30 21:18:41 +02:00
parent 5211fb772c
commit c5fa3daf29
Signed by: Mikaela
GPG Key ID: 99392F62BAE30723
2 changed files with 13 additions and 4 deletions

View File

@ -1,3 +1,7 @@
sshd_config should include something like
Include /etc/ssh/sshd_config.d/*.conf
## See also
https://infosec.mozilla.org/guidelines/openssh

View File

@ -5,9 +5,14 @@ HostKey /etc/ssh/ssh_host_ed25519_key
# Includes public keys in logins
LogLevel VERBOSE
# root login should probably be denied entirely, but key is better than
# password
PermitRootLogin prohibit-password
# No direct root login, keys might be ok, but audit trail
PermitRootLogin no
# Passwords are bad
PasswordAuthentication no
AuthenticationMethods publickey
# Doesn't exist in Fedora
#Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
# Use kernel sandbox mechanisms where possible in unprivileged processes
UsePrivilegeSeparation sandbox