From c5fa3daf29e4e2cf7381bc4c46ab86a260ca2060 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sat, 30 Jan 2021 21:18:41 +0200
Subject: [PATCH] sshd_config.d: read Mozilla docs & adjust accordingly

https://infosec.mozilla.org/guidelines/openssh
---
 etc/ssh/sshd_config.d/README.md           |  4 ++++
 etc/ssh/sshd_config.d/basic-security.conf | 13 +++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/etc/ssh/sshd_config.d/README.md b/etc/ssh/sshd_config.d/README.md
index 91bf348d..67ed4b2b 100644
--- a/etc/ssh/sshd_config.d/README.md
+++ b/etc/ssh/sshd_config.d/README.md
@@ -1,3 +1,7 @@
 sshd_config should include something like
 
 Include /etc/ssh/sshd_config.d/*.conf
+
+## See also
+
+https://infosec.mozilla.org/guidelines/openssh
diff --git a/etc/ssh/sshd_config.d/basic-security.conf b/etc/ssh/sshd_config.d/basic-security.conf
index a586294c..6455a05a 100644
--- a/etc/ssh/sshd_config.d/basic-security.conf
+++ b/etc/ssh/sshd_config.d/basic-security.conf
@@ -5,9 +5,14 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 # Includes public keys in logins
 LogLevel VERBOSE
 
-# root login should probably be denied entirely, but key is better than
-# password
-PermitRootLogin prohibit-password
-
+# No direct root login, keys might be ok, but audit trail
+PermitRootLogin no
 # Passwords are bad
 PasswordAuthentication no
+AuthenticationMethods publickey
+
+# Doesn't exist in Fedora
+#Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# Use kernel sandbox mechanisms where possible in unprivileged processes
+UsePrivilegeSeparation sandbox