Refactor harden server and client config patch for openssh package
Move ssh_config and sshd_config modification from openssh package to openssh-config package. Deployment test pass and configuration file check pass! Story: 2004477 Task: 28185 Change-Id: I9976733bab102ee076d514333cd5a74af20794ec Signed-off-by: zhipengl <zhipengs.liu@intel.com>
This commit is contained in:
parent
4f3e626029
commit
2730d2b38b
@ -26,14 +26,20 @@ package StarlingX configuration files of openssh to system folder.
|
|||||||
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
|
%{__install} -d %{buildroot}%{_sysconfdir}/systemd/system
|
||||||
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
|
%{__install} -m 644 sshd.pam %{buildroot}%{_datadir}/starlingx/sshd.pam
|
||||||
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
|
%{__install} -m 644 sshd.service %{buildroot}%{_sysconfdir}/systemd/system/sshd.service
|
||||||
|
%{__install} -m 644 ssh_config %{buildroot}%{_datadir}/starlingx/ssh_config
|
||||||
|
%{__install} -m 600 sshd_config %{buildroot}%{_datadir}/starlingx/sshd_config
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%define _pamconfdir %{_sysconfdir}/pam.d
|
%define _pamconfdir %{_sysconfdir}/pam.d
|
||||||
if [ $1 -eq 1 ] ; then
|
if [ $1 -eq 1 ] ; then
|
||||||
# Initial installation
|
# Initial installation
|
||||||
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
|
cp -f %{_datadir}/starlingx/sshd.pam %{_pamconfdir}/sshd
|
||||||
|
cp -f %{_datadir}/starlingx/ssh_config %{_sysconfdir}/ssh/ssh_config
|
||||||
|
cp -f %{_datadir}/starlingx/sshd_config %{_sysconfdir}/ssh/sshd_config
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{_datadir}/starlingx/sshd.pam
|
%{_datadir}/starlingx/sshd.pam
|
||||||
%{_sysconfdir}/systemd/system/sshd.service
|
%{_sysconfdir}/systemd/system/sshd.service
|
||||||
|
%{_datadir}/starlingx/ssh_config
|
||||||
|
%{_datadir}/starlingx/sshd_config
|
||||||
|
71
base/openssh-config/files/ssh_config
Normal file
71
base/openssh-config/files/ssh_config
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
|
||||||
|
|
||||||
|
# This is the ssh client system-wide configuration file. See
|
||||||
|
# ssh_config(5) for more information. This file provides defaults for
|
||||||
|
# users, and the values can be changed in per-user configuration files
|
||||||
|
# or on the command line.
|
||||||
|
|
||||||
|
# Configuration data is parsed as follows:
|
||||||
|
# 1. command line options
|
||||||
|
# 2. user-specific file
|
||||||
|
# 3. system-wide file
|
||||||
|
# Any configuration value is only changed the first time it is set.
|
||||||
|
# Thus, host-specific definitions should be at the beginning of the
|
||||||
|
# configuration file, and defaults at the end.
|
||||||
|
|
||||||
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
||||||
|
# list of available options, their meanings and defaults, please see the
|
||||||
|
# ssh_config(5) man page.
|
||||||
|
|
||||||
|
# Host *
|
||||||
|
# ForwardAgent no
|
||||||
|
# ForwardX11 no
|
||||||
|
# RhostsRSAAuthentication no
|
||||||
|
# RSAAuthentication yes
|
||||||
|
# PasswordAuthentication yes
|
||||||
|
# HostbasedAuthentication no
|
||||||
|
# GSSAPIAuthentication no
|
||||||
|
# GSSAPIDelegateCredentials no
|
||||||
|
# GSSAPIKeyExchange no
|
||||||
|
# GSSAPITrustDNS no
|
||||||
|
# BatchMode no
|
||||||
|
# CheckHostIP yes
|
||||||
|
# AddressFamily any
|
||||||
|
# ConnectTimeout 0
|
||||||
|
# StrictHostKeyChecking ask
|
||||||
|
# IdentityFile ~/.ssh/identity
|
||||||
|
# IdentityFile ~/.ssh/id_rsa
|
||||||
|
# IdentityFile ~/.ssh/id_dsa
|
||||||
|
# IdentityFile ~/.ssh/id_ecdsa
|
||||||
|
# IdentityFile ~/.ssh/id_ed25519
|
||||||
|
# Port 22
|
||||||
|
# Protocol 2
|
||||||
|
# Cipher 3des
|
||||||
|
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
||||||
|
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
||||||
|
# EscapeChar ~
|
||||||
|
# Tunnel no
|
||||||
|
# TunnelDevice any:any
|
||||||
|
# PermitLocalCommand no
|
||||||
|
# VisualHostKey no
|
||||||
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
|
# RekeyLimit 1G 1h
|
||||||
|
#
|
||||||
|
# Uncomment this if you want to use .local domain
|
||||||
|
# Host *.local
|
||||||
|
# CheckHostIP no
|
||||||
|
|
||||||
|
Host *
|
||||||
|
GSSAPIAuthentication yes
|
||||||
|
# If this option is set to yes then remote X11 clients will have full access
|
||||||
|
# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||||
|
# mode correctly we set this to yes.
|
||||||
|
ForwardX11Trusted yes
|
||||||
|
# Send locale-related environment variables
|
||||||
|
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
SendEnv XMODIFIERS
|
||||||
|
|
||||||
|
# Filtered key exchange algorithm list
|
||||||
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
148
base/openssh-config/files/sshd_config
Normal file
148
base/openssh-config/files/sshd_config
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file. See
|
||||||
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
# If you want to change the port on a SELinux system, you have to tell
|
||||||
|
# SELinux about this change.
|
||||||
|
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
|
#
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
RekeyLimit default 1h
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#SyslogFacility AUTHPRIV
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
LoginGraceTime 1m
|
||||||
|
PermitRootLogin no
|
||||||
|
#StrictModes yes
|
||||||
|
MaxAuthTries 4
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
#PasswordAuthentication yes
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
PasswordAuthentication yes
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
#ChallengeResponseAuthentication yes
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
#KerberosUseKuserok yes
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
GSSAPICleanupCredentials yes
|
||||||
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
|
#GSSAPIKeyExchange no
|
||||||
|
#GSSAPIEnablek5users no
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
||||||
|
# problems.
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowTcpForwarding no
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding no
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
#PrintMotd yes
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
Compression no
|
||||||
|
ClientAliveInterval 15
|
||||||
|
ClientAliveCountMax 4
|
||||||
|
#ShowPatchLevel no
|
||||||
|
# Make SSH connect faster on bootup
|
||||||
|
UseDNS no
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# default banner path
|
||||||
|
Banner /etc/issue.net
|
||||||
|
|
||||||
|
# Accept locale-related environment variables
|
||||||
|
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
AcceptEnv XMODIFIERS
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
||||||
|
DenyUsers admin secadmin operator
|
||||||
|
# Filtered cipher, MAC and key exchange algorithm list, defaults can be
|
||||||
|
# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
|
||||||
|
# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
|
||||||
|
# using "-" should be used for cipher, MAC and kex excluded suites.
|
||||||
|
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
||||||
|
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
||||||
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
@ -1 +1 @@
|
|||||||
TIS_PATCH_VER=9
|
TIS_PATCH_VER=10
|
||||||
|
@ -5,35 +5,17 @@ Subject: spec-include-TiS-changes.patch
|
|||||||
|
|
||||||
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
|
||||||
---
|
---
|
||||||
SPECS/openssh.spec | 9 ++++-----
|
SPECS/openssh.spec | 5 -----
|
||||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
|
||||||
index 0a91b56..bbae9d7 100644
|
index 0a91b56..bbae9d7 100644
|
||||||
--- a/SPECS/openssh.spec
|
--- a/SPECS/openssh.spec
|
||||||
+++ b/SPECS/openssh.spec
|
+++ b/SPECS/openssh.spec
|
||||||
@@ -250,6 +250,8 @@ Patch958: openssh-7.4p1-winscp-compat.patch
|
|
||||||
Patch959: openssh-7.4p1-authorized_keys_command.patch
|
|
||||||
# Fix for CVE-2017-15906 (#1517226)
|
|
||||||
Patch960: openssh-7.5p1-sftp-empty-files.patch
|
|
||||||
+# WRS: harden server and client config
|
|
||||||
+Patch1000: harden-server-and-client-config.patch
|
|
||||||
|
|
||||||
License: BSD
|
|
||||||
Group: Applications/Internet
|
|
||||||
@@ -510,6 +512,8 @@ popd
|
|
||||||
%patch700 -p1 -b .fips
|
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
|
||||||
+# WRS
|
|
||||||
+%patch1000 -p1 -b .harden
|
|
||||||
|
|
||||||
%if 0
|
|
||||||
# Nothing here yet
|
|
||||||
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
|
@@ -719,9 +723,6 @@ getent passwd sshd >/dev/null || \
|
||||||
%preun server
|
%preun server
|
||||||
%systemd_preun sshd.service sshd.socket
|
%systemd_preun sshd.service sshd.socket
|
||||||
|
|
||||||
-%postun server
|
-%postun server
|
||||||
-%systemd_postun_with_restart sshd.service
|
-%systemd_postun_with_restart sshd.service
|
||||||
-
|
-
|
||||||
@ -43,12 +25,12 @@ index 0a91b56..bbae9d7 100644
|
|||||||
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
|
@@ -784,8 +785,6 @@ getent passwd sshd >/dev/null || \
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
|
||||||
|
|
||||||
-%files server-sysvinit
|
-%files server-sysvinit
|
||||||
-%defattr(-,root,root)
|
-%defattr(-,root,root)
|
||||||
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
%attr(0755,root,root) /etc/rc.d/init.d/sshd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
--
|
--
|
||||||
1.8.3.1
|
1.8.3.1
|
||||||
|
|
||||||
|
@ -1,124 +0,0 @@
|
|||||||
From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andy Ning <andy.ning@windriver.com>
|
|
||||||
Date: Fri, 23 Mar 2018 14:46:06 -0400
|
|
||||||
Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms
|
|
||||||
|
|
||||||
The patch hardened ssh server and client security, specifically
|
|
||||||
removed support of sha1 base kex algrorithms as found by Nessus
|
|
||||||
scan.
|
|
||||||
---
|
|
||||||
ssh_config | 3 +++
|
|
||||||
sshd_config | 45 +++++++++++++++++++++++++++------------------
|
|
||||||
2 files changed, 30 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssh_config b/ssh_config
|
|
||||||
index d1c83ea..3320eb0 100644
|
|
||||||
--- a/ssh_config
|
|
||||||
+++ b/ssh_config
|
|
||||||
@@ -66,3 +66,6 @@ Host *
|
|
||||||
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
SendEnv XMODIFIERS
|
|
||||||
+
|
|
||||||
+# Filtered key exchange algorithm list
|
|
||||||
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
|
||||||
diff --git a/sshd_config b/sshd_config
|
|
||||||
index 6bbb86b..7fb2ac7 100644
|
|
||||||
--- a/sshd_config
|
|
||||||
+++ b/sshd_config
|
|
||||||
@@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
-#RekeyLimit default none
|
|
||||||
+RekeyLimit default 1h
|
|
||||||
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
-SyslogFacility AUTHPRIV
|
|
||||||
-#LogLevel INFO
|
|
||||||
+#SyslogFacility AUTHPRIV
|
|
||||||
+LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
-#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin yes
|
|
||||||
+LoginGraceTime 1m
|
|
||||||
+PermitRootLogin no
|
|
||||||
#StrictModes yes
|
|
||||||
-#MaxAuthTries 6
|
|
||||||
+MaxAuthTries 4
|
|
||||||
#MaxSessions 10
|
|
||||||
|
|
||||||
#PubkeyAuthentication yes
|
|
||||||
@@ -76,8 +76,8 @@ ChallengeResponseAuthentication no
|
|
||||||
#KerberosUseKuserok yes
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
-GSSAPIAuthentication yes
|
|
||||||
-GSSAPICleanupCredentials no
|
|
||||||
+GSSAPIAuthentication no
|
|
||||||
+GSSAPICleanupCredentials yes
|
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
|
||||||
#GSSAPIKeyExchange no
|
|
||||||
#GSSAPIEnablek5users no
|
|
||||||
@@ -95,10 +95,10 @@ GSSAPICleanupCredentials no
|
|
||||||
# problems.
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
-#AllowAgentForwarding yes
|
|
||||||
-#AllowTcpForwarding yes
|
|
||||||
+AllowAgentForwarding no
|
|
||||||
+AllowTcpForwarding no
|
|
||||||
#GatewayPorts no
|
|
||||||
-X11Forwarding yes
|
|
||||||
+X11Forwarding no
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
@@ -106,21 +106,22 @@ X11Forwarding yes
|
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#UseLogin no
|
|
||||||
-#UsePrivilegeSeparation sandbox
|
|
||||||
+UsePrivilegeSeparation yes
|
|
||||||
#PermitUserEnvironment no
|
|
||||||
-#Compression delayed
|
|
||||||
-#ClientAliveInterval 0
|
|
||||||
-#ClientAliveCountMax 3
|
|
||||||
+Compression no
|
|
||||||
+ClientAliveInterval 15
|
|
||||||
+ClientAliveCountMax 4
|
|
||||||
#ShowPatchLevel no
|
|
||||||
-#UseDNS yes
|
|
||||||
+# Make SSH connect faster on bootup
|
|
||||||
+UseDNS no
|
|
||||||
#PidFile /var/run/sshd.pid
|
|
||||||
#MaxStartups 10:30:100
|
|
||||||
#PermitTunnel no
|
|
||||||
#ChrootDirectory none
|
|
||||||
#VersionAddendum none
|
|
||||||
|
|
||||||
-# no default banner path
|
|
||||||
-#Banner none
|
|
||||||
+# default banner path
|
|
||||||
+Banner /etc/issue.net
|
|
||||||
|
|
||||||
# Accept locale-related environment variables
|
|
||||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
@@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
||||||
+DenyUsers admin secadmin operator
|
|
||||||
+# Filtered cipher, MAC and key exchange algorithm list, defaults can be
|
|
||||||
+# obtained by ssh -Q cipher, ssh -Q mac and ssh -Q kex
|
|
||||||
+# TODO (aning): once openssh is updated to 7.5, an explicit exclusion list
|
|
||||||
+# using "-" should be used for cipher, MAC and kex excluded suites.
|
|
||||||
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
|
||||||
+MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
|
|
||||||
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user