From a99d1f5e1db51e98a9ddb79e0fc9f64d8e1e74dd Mon Sep 17 00:00:00 2001
From: Thien Tran <contact@tommytran.io>
Date: Tue, 10 Oct 2023 12:05:22 -0700
Subject: [PATCH] Update SSH Hardening

Signed-off-by: Thien Tran <contact@tommytran.io>
---
 Docker-Compose.ign | 2 +-
 Docker-Compose.yml | 5 +++++
 Generic.ign        | 2 +-
 Generic.yml        | 5 +++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Docker-Compose.ign b/Docker-Compose.ign
index 04d087d..870e575 100644
--- a/Docker-Compose.ign
+++ b/Docker-Compose.ign
@@ -50,7 +50,7 @@
         "path": "/etc/ssh/sshd_config.d/10-custom.conf",
         "contents": {
           "compression": "",
-          "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A"
+          "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A"
         }
       },
       {
diff --git a/Docker-Compose.yml b/Docker-Compose.yml
index 7df64dd..8d9d4e3 100644
--- a/Docker-Compose.yml
+++ b/Docker-Compose.yml
@@ -105,6 +105,11 @@ storage:
       contents:
         inline: |
           X11Forwarding no
+          HostKeyAlgorithms ssh-ed25519
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          Ciphers aes256-gcm@openssh.com
+          MACs -*
+          KerberosAuthentication no
           GSSAPIAuthentication no
     - path: /etc/zincati/config.d/51-rollout-wariness.toml
       contents:
diff --git a/Generic.ign b/Generic.ign
index 5e1c38b..ade993d 100644
--- a/Generic.ign
+++ b/Generic.ign
@@ -50,7 +50,7 @@
         "path": "/etc/ssh/sshd_config.d/10-custom.conf",
         "contents": {
           "compression": "",
-          "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A"
+          "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A"
         }
       },
       {
diff --git a/Generic.yml b/Generic.yml
index d2d8fb0..ce84be9 100644
--- a/Generic.yml
+++ b/Generic.yml
@@ -123,6 +123,11 @@ storage:
       contents:
         inline: |
           X11Forwarding no
+          HostKeyAlgorithms ssh-ed25519
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          Ciphers aes256-gcm@openssh.com
+          MACs -*
+          KerberosAuthentication no
           GSSAPIAuthentication no
     - path: /etc/zincati/config.d/51-rollout-wariness.toml
       contents: