diff --git a/openssh/config.sls b/openssh/config.sls index 6c81c8c..10eaa0e 100644 --- a/openssh/config.sls +++ b/openssh/config.sls @@ -3,6 +3,7 @@ include: - openssh +{% if salt['pillar.get']('sshd_config', False) %} sshd_config: file.managed: - name: {{ openssh.sshd_config }} @@ -13,7 +14,9 @@ sshd_config: - mode: {{ openssh.sshd_config_mode }} - watch_in: - service: openssh +{% endif %} +{% if salt['pillar.get']('ssh_config', False) %} ssh_config: file.managed: - name: {{ openssh.ssh_config }} @@ -22,6 +25,7 @@ ssh_config: - user: {{ openssh.ssh_config_user }} - group: {{ openssh.ssh_config_group }} - mode: {{ openssh.ssh_config_mode }} +{% endif %} {% for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %} {% if salt['pillar.get']('openssh:generate_' ~ keyType ~ '_keys', False) %} diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml index 2a34b31..b7993f4 100644 --- a/openssh/defaults.yaml +++ b/openssh/defaults.yaml @@ -16,11 +16,6 @@ openssh: dig_pkg: dnsutils ssh_moduli: /etc/ssh/moduli root_group: root + sshd_config: {} -ssh_config: - Hosts: - '*': - SendEnv: LANG LC_* - HashKnownHosts: yes - GSSAPIAuthentication: yes - GSSAPIDelegateCredentials: no +ssh_config: {} diff --git a/pillar.example b/pillar.example index 923438a..39d9934 100644 --- a/pillar.example +++ b/pillar.example @@ -13,7 +13,7 @@ sshd_config: - /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 - ServerKeyBits: 768 + ServerKeyBits: 1024 SyslogFacility: AUTH LogLevel: INFO ClientAliveInterval: 0 @@ -35,9 +35,9 @@ sshd_config: ChallengeResponseAuthentication: 'no' AuthenticationMethods: 'publickey,keyboard-interactive' AuthorizedKeysFile: '%h/.ssh/authorized_keys' - X11Forwarding: 'yes' + X11Forwarding: 'no' X11DisplayOffset: 10 - PrintMotd: 'no' + PrintMotd: 'yes' PrintLastLog: 'yes' TCPKeepAlive: 'yes' AcceptEnv: "LANG LC_*" @@ -58,15 +58,37 @@ sshd_config: AllowTcpForwarding: no ForceCommand: internal-sftp # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. - # For these three keywords, the options may be specified as a list... + # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. + # The configuration given in the example below is based on: + # https://stribika.github.io/2015/01/04/secure-secure-shell.html + #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' + #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' KexAlgorithms: - - diffie-hellman-group14-sha1 - - diffie-hellman-group1-sha1 - # ... or a single string. - Ciphers: 'aes128-ctr,aes256-ctr' - MACs: 'hmac-sha1' - # Similar situation for ssh_config + - 'curve25519-sha256@libssh.org' + - 'diffie-hellman-group-exchange-sha256' + Ciphers: + - 'chacha20-poly1305@openssh.com' + - 'aes256-gcm@openssh.com' + - 'aes128-gcm@openssh.com' + - 'aes256-ctr' + - 'aes192-ctr' + - 'aes128-ctr' + MACs: + - 'hmac-sha2-512-etm@openssh.com' + - 'hmac-sha2-256-etm@openssh.com' + - 'hmac-ripemd160-etm@openssh.com' + - 'umac-128-etm@openssh.com' + - 'hmac-sha2-512' + - 'hmac-sha2-256' + - 'hmac-ripemd160' + - 'umac-128@openssh.com' +# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config +# pillar will overwrite the defaults of your distribution's SSH client. This +# will also force the default configuration for all the SSH clients on the +# machine. This can break SSH connections with servers using older versions of +# openssh. Please make sure you understand the implication of different settings ssh_config: StrictHostKeyChecking: no ForwardAgent: no @@ -89,6 +111,38 @@ ssh_config: TunnelDevice: 'any:any' PermitLocalCommand: 'no' VisualHostKey: 'no' + # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. + # WARNING! Please make sure you understand the implications of the below + # settings. The examples provided below might break your connection to older / + # legacy openssh servers. + # The configuration given in the example below is based on: + # https://stribika.github.io/2015/01/04/secure-secure-shell.html + # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. + #KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' + #Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' + #MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + KexAlgorithms: + - 'curve25519-sha256@libssh.org' + - 'diffie-hellman-group-exchange-sha256' + - 'diffie-hellman-group-exchange-sha1' + - 'diffie-hellman-group14-sha1' + Ciphers: + - 'chacha20-poly1305@openssh.com' + - 'aes256-gcm@openssh.com' + - 'aes128-gcm@openssh.com' + - 'aes256-ctr' + - 'aes192-ctr' + - 'aes128-ctr' + MACs: + - 'hmac-sha2-512-etm@openssh.com' + - 'hmac-sha2-256-etm@openssh.com' + - 'hmac-ripemd160-etm@openssh.com' + - 'umac-128-etm@openssh.com' + - 'hmac-sha2-512' + - 'hmac-sha2-256' + - 'hmac-ripemd160' + - 'umac-128@openssh.com' + openssh: # Controls if SSHD should be enabled/started