ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 06:55:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

chg: remove support for EOL CentOS 7

Browse source
This commit is contained in:
Stéphane Lesimple 2024-07-01 11:36:53 +00:00 committed by Stéphane Lesimple
parent 560598b447
commit 914d8b30b4
9 changed files with 6 additions and 557 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/tests.yml vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Full name: Full
strategy: strategy:
matrix: matrix:
platform: [centos7, rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204] platform: [rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204]
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'tests:full') if: contains(github.event.pull_request.labels.*.name, 'tests:full')
steps: steps:

1
README.md
View file

@ -73,7 +73,6 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS: Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster) - Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
- CentOS 7.x
- RockyLinux 8.x, 9.x - RockyLinux 8.x, 9.x
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04 - Ubuntu LTS 22.04, 20.04, 18.04, 16.04
- OpenSUSE Leap 15.5\* - OpenSUSE Leap 15.5\*

9
bin/admin/install
View file

@ -275,9 +275,7 @@ if [ "${opt[modify-ssh-config]}" = 1 ] || [ "${opt[modify-sshd-config]}" = 1 ] ;
filesuffix=$short_suffix_name filesuffix=$short_suffix_name
elif [ "$OS_FAMILY" = Linux ]; then elif [ "$OS_FAMILY" = Linux ]; then
if [ "$LINUX_DISTRO" = ubuntu ]; then if [ "$LINUX_DISTRO" = ubuntu ]; then
if [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then if [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
filesuffix=debian9
elif [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
filesuffix=debian10 filesuffix=debian10
elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then
filesuffix=debian11 filesuffix=debian11
@ -1235,7 +1233,10 @@ fi
if [ "${opt[modify-pam-lastlog]}" = 1 ]; then if [ "${opt[modify-pam-lastlog]}" = 1 ]; then
# pam.d lastlogin # pam.d lastlogin
action_doing "Adjust lastlog in pam.d/sshd if applicable" action_doing "Adjust lastlog in pam.d/sshd if applicable"
if [ -e "$PAM_SSHD" ] ; then # don't do it for Ubuntu 24.04, as they removed pam_lastlog.so entirely
if [ "$LINUX_DISTRO" = ubuntu ] && [ "$DISTRO_VERSION_MAJOR" -ge 24 ]; then
action_na "Not supported under $LINUX_DISTRO $DISTRO_VERSION_MAJOR"
elif [ -e "$PAM_SSHD" ] ; then
if ! grep -Eq '^\s*session\s+optional\s+pam_lastlog.so' "$PAM_SSHD" ; then if ! grep -Eq '^\s*session\s+optional\s+pam_lastlog.so' "$PAM_SSHD" ; then
action_detail "missing lastlog config in file, adjusting" action_detail "missing lastlog config in file, adjusting"
# shellcheck disable=SC1004 # shellcheck disable=SC1004

1
doc/sphinx/installation/basic.rst
View file

@ -33,7 +33,6 @@ The following Linux distros are tested with each release, but as this is a secur
you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster) - Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
- CentOS 7.x
- RockyLinux 8.x, 9.x - RockyLinux 8.x, 9.x
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04 - Ubuntu LTS 22.04, 20.04, 18.04, 16.04
- OpenSUSE Leap 15.5\* - OpenSUSE Leap 15.5\*

32
docker/Dockerfile.centos7
View file

@ -1,32 +0,0 @@
FROM centos:7
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh \
bin/admin/install-yubico-piv-checker.sh \
bin/admin/install-mkhash-helper.sh \
bin/admin/packages-check.sh \
/opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
# at each modification of our code, we'll start from here thanks to build cache
COPY . /opt/bastion
# tests that the environment works
RUN ["/opt/bastion/bin/dev/perl-check.sh"]
# setup ssh/sshd config and setup bastion install
RUN ["/opt/bastion/bin/admin/install","--new-install"]
# start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1

115
etc/ssh/ssh_config.centos7
View file

@ -1,115 +0,0 @@
# Hardened SSH bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With modifications where applicable/needed
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
Tunnel no
ForwardAgent no
ForwardX11 no
GatewayPorts no
ControlMaster no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
# known gotchas:
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older remote servers, fallback to the non-etm version of
# the algorithms. we deny md5 entirely.
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
# Known gotchas:
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
# known gotchas:
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password nor keyboard-interactive
# ... (set to yes if sshpass is to be used)
PasswordAuthentication no
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIDelegateCredentials no
# now we specify the auth methods order we want for manual ssh calls.
# NOTE1: as per the ssh source code, an auth method omitted hereafter
# will not be used, even if set to "yes" above.
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
# value explicitly on command-line (pubkey OR sshpass), so the value
# specified hereafter will be ignored. if you want to force-disable
# a method, set it to "no" in the list above, as those will never be
# overridden by the code.
PreferredAuthentications publickey,keyboard-interactive
# === LOGIN ###
# disable escape character use
EscapeChar none
# detect if a hostkey changed due to DNS spoofing
CheckHostIP yes
# ignore ssh-agent, only use specified keys (-i)
IdentitiesOnly yes
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
IdentityFile /dev/non/existent/file
# carry those vars to the other side (includes LC_BASTION)
SendEnv LANG LC_*
# allow usage of SSHFP DNS records
VerifyHostKeyDNS ask
# yell if remote hostkey changed
StrictHostKeyChecking ask
# === SYSTEM ===
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
HashKnownHosts no
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
ServerAliveInterval 57
ServerAliveCountMax 5

115
etc/ssh/ssh_config.debian9
View file

@ -1,115 +0,0 @@
# Hardened SSH bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With modifications where applicable/needed
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
Tunnel no
ForwardAgent no
ForwardX11 no
GatewayPorts no
ControlMaster no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
# known gotchas:
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older remote servers, fallback to the non-etm version of
# the algorithms. we deny md5 entirely.
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
# Known gotchas:
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
# known gotchas:
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password nor keyboard-interactive
# ... (set to yes if sshpass is to be used)
PasswordAuthentication no
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIDelegateCredentials no
# now we specify the auth methods order we want for manual ssh calls.
# NOTE1: as per the ssh source code, an auth method omitted hereafter
# will not be used, even if set to "yes" above.
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
# value explicitly on command-line (pubkey OR sshpass), so the value
# specified hereafter will be ignored. if you want to force-disable
# a method, set it to "no" in the list above, as those will never be
# overridden by the code.
PreferredAuthentications publickey,keyboard-interactive
# === LOGIN ###
# disable escape character use
EscapeChar none
# detect if a hostkey changed due to DNS spoofing
CheckHostIP yes
# ignore ssh-agent, only use specified keys (-i)
IdentitiesOnly yes
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
IdentityFile /dev/non/existent/file
# carry those vars to the other side (includes LC_BASTION)
SendEnv LANG LC_*
# allow usage of SSHFP DNS records
VerifyHostKeyDNS ask
# yell if remote hostkey changed
StrictHostKeyChecking ask
# === SYSTEM ===
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
HashKnownHosts no
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
ServerAliveInterval 57
ServerAliveCountMax 5

142
etc/ssh/sshd_config.centos7
View file

@ -1,142 +0,0 @@
# Hardened SSHD bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With additional restrictions where applicable
# -lo and -rt users only have local console login
DenyUsers *-rt
DenyUsers *-lo
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no
PermitTunnel no
PermitUserEnvironment no
PermitUserRC no
GatewayPorts no
# === INFORMATION DISCLOSURE ===
# however, display a legal notice for each connection
Banner /etc/ssh/banner
# don't print the bastion MOTD on connection
PrintMotd no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is still considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older ssh client, fallback to the non-etm version of
# the algorithms.
# we deny md5 and sha1
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# force rekey every 512M of data or 6 hours of connection, whichever comes first
RekeyLimit 512M 6h
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password
PasswordAuthentication no
# ... keyboard interactive (needed for MFA through PAM)
KbdInteractiveAuthentication yes
# ... not kerberos
KerberosAuthentication no
# ... challenge-response (needed for MFA through PAM)
ChallengeResponseAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
# just in case, we also explicitly deny empty passwords
PermitEmptyPasswords no
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
# which is not a security issue because the AuthenticationMethods below force the use of
# either publickey or publickey+keyboard-interactive, hence password-only login is never
# possible, for root or any other account for that matter
PermitRootLogin yes
# === LOGIN ===
# disconnect after 30 seconds if user didn't log in successfully
LoginGraceTime 30
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
MaxSessions 1
# maximum concurrent unauth connections to the sshd daemon
MaxStartups 50:30:500
# accept LANG and LC_* vars (also includes LC_BASTION)
AcceptEnv LANG LC_*
# === SYSTEM ===
# sshd log level at verbose in auth facility for auditing purposes
LogLevel VERBOSE
SyslogFacility AUTH
# check sanity of user HOME dir before allowing user to login
StrictModes yes
# never use dns (slows down connections)
UseDNS no
# use PAM facility
UsePAM yes
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
# on your system, uncomment the next two lines (see
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
#Match User root
# AuthenticationMethods publickey,keyboard-interactive:pam
# Unconditionally skip PAM auth for members of the bastion-nopam group
Match Group bastion-nopam
AuthenticationMethods publickey
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
# if in one of the mfa groups, use publickey AND pam
Match Group mfa-totp-configd,mfa-password-configd
AuthenticationMethods publickey,keyboard-interactive:pam
# by default, always ask the publickey (no PAM)
Match All
AuthenticationMethods publickey

146
etc/ssh/sshd_config.debian9
View file

@ -1,146 +0,0 @@
# Hardened SSHD bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With additional restrictions where applicable
# -lo and -rt users only have local console login
DenyUsers *-rt
DenyUsers *-lo
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no
PermitTunnel no
PermitUserEnvironment no
PermitUserRC no
GatewayPorts no
# === INFORMATION DISCLOSURE ===
# don't yell to the world that we're running debian,
# this disables the debian string version on the server hello message
DebianBanner no
# however, display a legal notice for each connection
Banner /etc/ssh/banner
# don't print the bastion MOTD on connection
PrintMotd no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is still considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older ssh client, fallback to the non-etm version of
# the algorithms.
# we deny md5 and sha1
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# force rekey every 512M of data or 6 hours of connection, whichever comes first
RekeyLimit 512M 6h
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password
PasswordAuthentication no
# ... keyboard interactive (needed for MFA through PAM)
KbdInteractiveAuthentication yes
# ... not kerberos
KerberosAuthentication no
# ... challenge-response (needed for MFA through PAM)
ChallengeResponseAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
# just in case, we also explicitly deny empty passwords
PermitEmptyPasswords no
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
# which is not a security issue because the AuthenticationMethods below force the use of
# either publickey or publickey+keyboard-interactive, hence password-only login is never
# possible, for root or any other account for that matter
PermitRootLogin yes
# === LOGIN ===
# disconnect after 30 seconds if user didn't log in successfully
LoginGraceTime 30
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
MaxSessions 1
# maximum concurrent unauth connections to the sshd daemon
MaxStartups 50:30:500
# accept LANG and LC_* vars (also includes LC_BASTION)
AcceptEnv LANG LC_*
# === SYSTEM ===
# sshd log level at verbose in auth facility for auditing purposes
LogLevel VERBOSE
SyslogFacility AUTH
# check sanity of user HOME dir before allowing user to login
StrictModes yes
# never use dns (slows down connections)
UseDNS no
# use PAM facility
UsePAM yes
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
# on your system, uncomment the next two lines (see
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
#Match User root
# AuthenticationMethods publickey,keyboard-interactive:pam
# Unconditionally skip PAM auth for members of the bastion-nopam group
Match Group bastion-nopam
AuthenticationMethods publickey
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
# if in one of the mfa groups, use publickey AND pam
Match Group mfa-totp-configd,mfa-password-configd
AuthenticationMethods publickey,keyboard-interactive:pam
# by default, always ask the publickey (no PAM)
Match All
AuthenticationMethods publickey