38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
---
|
|
- name: system setup | openssh | copy hardened sshd config for bastion
|
|
tags: openssh,ssh,system,settings
|
|
copy:
|
|
dest: /etc/ssh/sshd_config.d/hardened.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
# This file is managed by Ansible for the bastion role
|
|
# It overwrites/complements settings from the base role.
|
|
LogLevel VERBOSE
|
|
MaxAuthTries 3
|
|
PubkeyAuthentication yes
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
PasswordAuthentication no
|
|
UsePAM yes
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
PrintMotd no
|
|
|
|
# Harden Ciphers and Algorithms
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
|
|
|
PrintLastLog no
|
|
TCPKeepAlive yes
|
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
|
AcceptEnv *
|
|
AllowUsers lowpriv sshjumpuser
|
|
|
|
Match User lowpriv,sshjumpuser
|
|
AllowAgentForwarding yes
|
|
AllowTcpForwarding yes
|
|
notify: [ "restart_sshd", "Update_aide_database" ] |