From a99d1f5e1db51e98a9ddb79e0fc9f64d8e1e74dd Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 10 Oct 2023 12:05:22 -0700 Subject: [PATCH] Update SSH Hardening Signed-off-by: Thien Tran --- Docker-Compose.ign | 2 +- Docker-Compose.yml | 5 +++++ Generic.ign | 2 +- Generic.yml | 5 +++++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Docker-Compose.ign b/Docker-Compose.ign index 04d087d..870e575 100644 --- a/Docker-Compose.ign +++ b/Docker-Compose.ign @@ -50,7 +50,7 @@ "path": "/etc/ssh/sshd_config.d/10-custom.conf", "contents": { "compression": "", - "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A" + "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A" } }, { diff --git a/Docker-Compose.yml b/Docker-Compose.yml index 7df64dd..8d9d4e3 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -105,6 +105,11 @@ storage: contents: inline: | X11Forwarding no + HostKeyAlgorithms ssh-ed25519 + PubkeyAcceptedKeyTypes ssh-ed25519 + Ciphers aes256-gcm@openssh.com + MACs -* + KerberosAuthentication no GSSAPIAuthentication no - path: /etc/zincati/config.d/51-rollout-wariness.toml contents: diff --git a/Generic.ign b/Generic.ign index 5e1c38b..ade993d 100644 --- a/Generic.ign +++ b/Generic.ign @@ -50,7 +50,7 @@ "path": "/etc/ssh/sshd_config.d/10-custom.conf", "contents": { "compression": "", - "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A" + "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A" } }, { diff --git a/Generic.yml b/Generic.yml index d2d8fb0..ce84be9 100644 --- a/Generic.yml +++ b/Generic.yml @@ -123,6 +123,11 @@ storage: contents: inline: | X11Forwarding no + HostKeyAlgorithms ssh-ed25519 + PubkeyAcceptedKeyTypes ssh-ed25519 + Ciphers aes256-gcm@openssh.com + MACs -* + KerberosAuthentication no GSSAPIAuthentication no - path: /etc/zincati/config.d/51-rollout-wariness.toml contents: