Update SSH Hardening

Signed-off-by: Thien Tran <contact@tommytran.io>

Docker-Compose.ign

@@ -50,7 +50,7 @@
         "path": "/etc/ssh/sshd_config.d/10-custom.conf",
         "contents": {
           "compression": "",
-          "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A"
+          "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A"
         }
       },
       {

Docker-Compose.yml

@@ -105,6 +105,11 @@ storage:
       contents:
         inline: |
           X11Forwarding no
+          HostKeyAlgorithms ssh-ed25519
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          Ciphers aes256-gcm@openssh.com
+          MACs -*
+          KerberosAuthentication no
           GSSAPIAuthentication no
     - path: /etc/zincati/config.d/51-rollout-wariness.toml
       contents:

Generic.ign

@@ -50,7 +50,7 @@
         "path": "/etc/ssh/sshd_config.d/10-custom.conf",
         "contents": {
           "compression": "",
-          "source": "data:,X11Forwarding%20no%0AGSSAPIAuthentication%20no%0A"
+          "source": "data:,X11Forwarding%20no%0AHostKeyAlgorithms%20ssh-ed25519%0APubkeyAcceptedKeyTypes%20ssh-ed25519%0ACiphers%20aes256-gcm%40openssh.com%0AMACs%20-*%0AKerberosAuthentication%20no%0AGSSAPIAuthentication%20no%0A"
         }
       },
       {

Generic.yml

@@ -123,6 +123,11 @@ storage:
       contents:
         inline: |
           X11Forwarding no
+          HostKeyAlgorithms ssh-ed25519
+          PubkeyAcceptedKeyTypes ssh-ed25519
+          Ciphers aes256-gcm@openssh.com
+          MACs -*
+          KerberosAuthentication no
           GSSAPIAuthentication no
     - path: /etc/zincati/config.d/51-rollout-wariness.toml
       contents: