public-health-ch/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2
2020-05-15 22:41:39 +02:00

125 lines
4.4 KiB
Django/Jinja

# {{ansible_managed|comment}}
# This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
{% if ssh_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in ssh_custom_options %}
{{ line }}
{% endfor %}
{% endif %}
# Basic configuration
# ===================
# Address family should always be limited to the active network configuration.
AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
{% for host in ssh_remote_hosts -%}
{% if loop.first %}
# Host-specific configuration
{% endif %}
Host {{ host.names | join(' ') }}
{{ host.options | join("\n") | indent(2) }}
{% endfor -%}
# Global defaults for all Hosts
Host *
# The port at the destination should be defined
Port {{ ssh_client_port }}
# Identity file configuration. You may restrict available identity files. Otherwise ssh will search for a pattern and use any that matches.
#IdentityFile ~/.ssh/identity
#IdentityFile ~/.ssh/id_rsa
#IdentityFile ~/.ssh/id_dsa
# Security configuration
# ======================
# Set the protocol version to 2 for security reasons. Disables legacy support.
Protocol 2
# Make sure passphrase querying is enabled
BatchMode no
# Prevent IP spoofing by checking to host IP against the `known_hosts` file.
CheckHostIP yes
# Always ask before adding keys to the `known_hosts` file. Do not set to `yes`.
StrictHostKeyChecking ask
# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
# CBC: is true if you want to connect with OpenSSL-base libraries
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #}
{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }}
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
# Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
#
{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #}
{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }}
# Alternative setting, if OpenSSH version is below v5.9
#MACs hmac-ripemd160
# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
# Weak kex is sometimes required if older package versions are used
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #}
{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }}
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
ForwardAgent no
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
ForwardX11 no
# Never use host-based authentication. It can be exploited.
HostbasedAuthentication no
{% if sshd_version is version('7.6', '<') %}
RhostsRSAAuthentication no
# Enable RSA authentication via identity files.
RSAAuthentication yes
{% endif %}
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
# Only use GSSAPIAuthentication if implemented on the network.
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
# Disable tunneling
Tunnel no
# Disable local command execution.
PermitLocalCommand no
# Misc. configuration
# ===================
# Enable compression. More pressure on the CPU, less on the network.
Compression yes
#EscapeChar ~
#VisualHostKey yes
{% if sshd_version is version('7.1', '<=') %}
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
{% endif %}