mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 06:55:58 +08:00
chg: remove support for EOL CentOS 7
This commit is contained in:
parent
560598b447
commit
914d8b30b4
2
.github/workflows/tests.yml
vendored
2
.github/workflows/tests.yml
vendored
|
@ -38,7 +38,7 @@ jobs:
|
||||||
name: Full
|
name: Full
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
platform: [centos7, rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204]
|
platform: [rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
|
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
|
||||||
steps:
|
steps:
|
||||||
|
|
|
@ -73,7 +73,6 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `
|
||||||
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
|
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||||
|
|
||||||
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
||||||
- CentOS 7.x
|
|
||||||
- RockyLinux 8.x, 9.x
|
- RockyLinux 8.x, 9.x
|
||||||
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
||||||
- OpenSUSE Leap 15.5\*
|
- OpenSUSE Leap 15.5\*
|
||||||
|
|
|
@ -275,9 +275,7 @@ if [ "${opt[modify-ssh-config]}" = 1 ] || [ "${opt[modify-sshd-config]}" = 1 ] ;
|
||||||
filesuffix=$short_suffix_name
|
filesuffix=$short_suffix_name
|
||||||
elif [ "$OS_FAMILY" = Linux ]; then
|
elif [ "$OS_FAMILY" = Linux ]; then
|
||||||
if [ "$LINUX_DISTRO" = ubuntu ]; then
|
if [ "$LINUX_DISTRO" = ubuntu ]; then
|
||||||
if [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then
|
if [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
|
||||||
filesuffix=debian9
|
|
||||||
elif [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
|
|
||||||
filesuffix=debian10
|
filesuffix=debian10
|
||||||
elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then
|
elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then
|
||||||
filesuffix=debian11
|
filesuffix=debian11
|
||||||
|
@ -1235,7 +1233,10 @@ fi
|
||||||
if [ "${opt[modify-pam-lastlog]}" = 1 ]; then
|
if [ "${opt[modify-pam-lastlog]}" = 1 ]; then
|
||||||
# pam.d lastlogin
|
# pam.d lastlogin
|
||||||
action_doing "Adjust lastlog in pam.d/sshd if applicable"
|
action_doing "Adjust lastlog in pam.d/sshd if applicable"
|
||||||
if [ -e "$PAM_SSHD" ] ; then
|
# don't do it for Ubuntu 24.04, as they removed pam_lastlog.so entirely
|
||||||
|
if [ "$LINUX_DISTRO" = ubuntu ] && [ "$DISTRO_VERSION_MAJOR" -ge 24 ]; then
|
||||||
|
action_na "Not supported under $LINUX_DISTRO $DISTRO_VERSION_MAJOR"
|
||||||
|
elif [ -e "$PAM_SSHD" ] ; then
|
||||||
if ! grep -Eq '^\s*session\s+optional\s+pam_lastlog.so' "$PAM_SSHD" ; then
|
if ! grep -Eq '^\s*session\s+optional\s+pam_lastlog.so' "$PAM_SSHD" ; then
|
||||||
action_detail "missing lastlog config in file, adjusting"
|
action_detail "missing lastlog config in file, adjusting"
|
||||||
# shellcheck disable=SC1004
|
# shellcheck disable=SC1004
|
||||||
|
|
|
@ -33,7 +33,6 @@ The following Linux distros are tested with each release, but as this is a secur
|
||||||
you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
|
you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||||
|
|
||||||
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
||||||
- CentOS 7.x
|
|
||||||
- RockyLinux 8.x, 9.x
|
- RockyLinux 8.x, 9.x
|
||||||
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
||||||
- OpenSUSE Leap 15.5\*
|
- OpenSUSE Leap 15.5\*
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
FROM centos:7
|
|
||||||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
|
||||||
|
|
||||||
# cache builds efficiently: just copy the scripts to install packages first
|
|
||||||
COPY bin/admin/install-ttyrec.sh \
|
|
||||||
bin/admin/install-yubico-piv-checker.sh \
|
|
||||||
bin/admin/install-mkhash-helper.sh \
|
|
||||||
bin/admin/packages-check.sh \
|
|
||||||
/opt/bastion/bin/admin/
|
|
||||||
COPY lib/shell /opt/bastion/lib/shell/
|
|
||||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
|
||||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
|
||||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
|
||||||
RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
|
|
||||||
|
|
||||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
|
||||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
|
||||||
sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
|
|
||||||
|
|
||||||
# at each modification of our code, we'll start from here thanks to build cache
|
|
||||||
COPY . /opt/bastion
|
|
||||||
|
|
||||||
# tests that the environment works
|
|
||||||
RUN ["/opt/bastion/bin/dev/perl-check.sh"]
|
|
||||||
|
|
||||||
# setup ssh/sshd config and setup bastion install
|
|
||||||
RUN ["/opt/bastion/bin/admin/install","--new-install"]
|
|
||||||
|
|
||||||
# start at entrypoint
|
|
||||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
|
||||||
|
|
||||||
# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
|
|
|
@ -1,115 +0,0 @@
|
||||||
# Hardened SSH bastion config -- modify wisely!
|
|
||||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
|
||||||
# With modifications where applicable/needed
|
|
||||||
|
|
||||||
# hardened params follow. every non-needed feature is disabled by default,
|
|
||||||
# following the principle of least rights and least features (more enabled
|
|
||||||
# features mean a more important attack surface).
|
|
||||||
|
|
||||||
# === FEATURES ===
|
|
||||||
|
|
||||||
# disable non-needed sshd features
|
|
||||||
Tunnel no
|
|
||||||
ForwardAgent no
|
|
||||||
ForwardX11 no
|
|
||||||
GatewayPorts no
|
|
||||||
ControlMaster no
|
|
||||||
|
|
||||||
# === CRYPTOGRAPHY ===
|
|
||||||
|
|
||||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
|
||||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
|
||||||
Protocol 2
|
|
||||||
|
|
||||||
# list of allowed ciphers.
|
|
||||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
|
||||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
|
||||||
# allow ctr cipher mode for compatibility (ctr is considered secure)
|
|
||||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
|
||||||
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
|
|
||||||
# known gotchas:
|
|
||||||
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
||||||
|
|
||||||
# list of allowed message authentication code algorithms.
|
|
||||||
# etm (encrypt-then-mac) are considered the more secure, we
|
|
||||||
# prefer umac (has been proven secure) then sha2.
|
|
||||||
# for older remote servers, fallback to the non-etm version of
|
|
||||||
# the algorithms. we deny md5 entirely.
|
|
||||||
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
|
|
||||||
# Known gotchas:
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
|
|
||||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
||||||
|
|
||||||
# List of allowed key exchange algorithms.
|
|
||||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
|
||||||
# and still allow diffie hellman with group exchange using sha256 which is
|
|
||||||
# the most secure dh-based kex.
|
|
||||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
|
||||||
# on sha1.
|
|
||||||
# known gotchas:
|
|
||||||
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
|
|
||||||
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
||||||
|
|
||||||
# === AUTHENTICATION ===
|
|
||||||
|
|
||||||
# we allow only public key authentication ...
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
# ... not password nor keyboard-interactive
|
|
||||||
# ... (set to yes if sshpass is to be used)
|
|
||||||
PasswordAuthentication no
|
|
||||||
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
|
|
||||||
ChallengeResponseAuthentication yes
|
|
||||||
KbdInteractiveAuthentication yes
|
|
||||||
# ... not host-based
|
|
||||||
HostbasedAuthentication no
|
|
||||||
# ... and not gssapi auth.
|
|
||||||
GSSAPIAuthentication no
|
|
||||||
GSSAPIKeyExchange no
|
|
||||||
GSSAPIDelegateCredentials no
|
|
||||||
# now we specify the auth methods order we want for manual ssh calls.
|
|
||||||
# NOTE1: as per the ssh source code, an auth method omitted hereafter
|
|
||||||
# will not be used, even if set to "yes" above.
|
|
||||||
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
|
|
||||||
# value explicitly on command-line (pubkey OR sshpass), so the value
|
|
||||||
# specified hereafter will be ignored. if you want to force-disable
|
|
||||||
# a method, set it to "no" in the list above, as those will never be
|
|
||||||
# overridden by the code.
|
|
||||||
PreferredAuthentications publickey,keyboard-interactive
|
|
||||||
|
|
||||||
# === LOGIN ###
|
|
||||||
|
|
||||||
# disable escape character use
|
|
||||||
EscapeChar none
|
|
||||||
|
|
||||||
# detect if a hostkey changed due to DNS spoofing
|
|
||||||
CheckHostIP yes
|
|
||||||
|
|
||||||
# ignore ssh-agent, only use specified keys (-i)
|
|
||||||
IdentitiesOnly yes
|
|
||||||
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
|
|
||||||
IdentityFile /dev/non/existent/file
|
|
||||||
|
|
||||||
# carry those vars to the other side (includes LC_BASTION)
|
|
||||||
SendEnv LANG LC_*
|
|
||||||
|
|
||||||
# allow usage of SSHFP DNS records
|
|
||||||
VerifyHostKeyDNS ask
|
|
||||||
|
|
||||||
# yell if remote hostkey changed
|
|
||||||
StrictHostKeyChecking ask
|
|
||||||
|
|
||||||
# === SYSTEM ===
|
|
||||||
|
|
||||||
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
|
|
||||||
HashKnownHosts no
|
|
||||||
|
|
||||||
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
|
|
||||||
ServerAliveInterval 57
|
|
||||||
ServerAliveCountMax 5
|
|
|
@ -1,115 +0,0 @@
|
||||||
# Hardened SSH bastion config -- modify wisely!
|
|
||||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
|
||||||
# With modifications where applicable/needed
|
|
||||||
|
|
||||||
# hardened params follow. every non-needed feature is disabled by default,
|
|
||||||
# following the principle of least rights and least features (more enabled
|
|
||||||
# features mean a more important attack surface).
|
|
||||||
|
|
||||||
# === FEATURES ===
|
|
||||||
|
|
||||||
# disable non-needed sshd features
|
|
||||||
Tunnel no
|
|
||||||
ForwardAgent no
|
|
||||||
ForwardX11 no
|
|
||||||
GatewayPorts no
|
|
||||||
ControlMaster no
|
|
||||||
|
|
||||||
# === CRYPTOGRAPHY ===
|
|
||||||
|
|
||||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
|
||||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
|
||||||
Protocol 2
|
|
||||||
|
|
||||||
# list of allowed ciphers.
|
|
||||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
|
||||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
|
||||||
# allow ctr cipher mode for compatibility (ctr is considered secure)
|
|
||||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
|
||||||
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
|
|
||||||
# known gotchas:
|
|
||||||
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
||||||
|
|
||||||
# list of allowed message authentication code algorithms.
|
|
||||||
# etm (encrypt-then-mac) are considered the more secure, we
|
|
||||||
# prefer umac (has been proven secure) then sha2.
|
|
||||||
# for older remote servers, fallback to the non-etm version of
|
|
||||||
# the algorithms. we deny md5 entirely.
|
|
||||||
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
|
|
||||||
# Known gotchas:
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
|
|
||||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
||||||
|
|
||||||
# List of allowed key exchange algorithms.
|
|
||||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
|
||||||
# and still allow diffie hellman with group exchange using sha256 which is
|
|
||||||
# the most secure dh-based kex.
|
|
||||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
|
||||||
# on sha1.
|
|
||||||
# known gotchas:
|
|
||||||
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
|
|
||||||
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
|
|
||||||
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
|
|
||||||
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
||||||
|
|
||||||
# === AUTHENTICATION ===
|
|
||||||
|
|
||||||
# we allow only public key authentication ...
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
# ... not password nor keyboard-interactive
|
|
||||||
# ... (set to yes if sshpass is to be used)
|
|
||||||
PasswordAuthentication no
|
|
||||||
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
|
|
||||||
ChallengeResponseAuthentication yes
|
|
||||||
KbdInteractiveAuthentication yes
|
|
||||||
# ... not host-based
|
|
||||||
HostbasedAuthentication no
|
|
||||||
# ... and not gssapi auth.
|
|
||||||
GSSAPIAuthentication no
|
|
||||||
GSSAPIKeyExchange no
|
|
||||||
GSSAPIDelegateCredentials no
|
|
||||||
# now we specify the auth methods order we want for manual ssh calls.
|
|
||||||
# NOTE1: as per the ssh source code, an auth method omitted hereafter
|
|
||||||
# will not be used, even if set to "yes" above.
|
|
||||||
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
|
|
||||||
# value explicitly on command-line (pubkey OR sshpass), so the value
|
|
||||||
# specified hereafter will be ignored. if you want to force-disable
|
|
||||||
# a method, set it to "no" in the list above, as those will never be
|
|
||||||
# overridden by the code.
|
|
||||||
PreferredAuthentications publickey,keyboard-interactive
|
|
||||||
|
|
||||||
# === LOGIN ###
|
|
||||||
|
|
||||||
# disable escape character use
|
|
||||||
EscapeChar none
|
|
||||||
|
|
||||||
# detect if a hostkey changed due to DNS spoofing
|
|
||||||
CheckHostIP yes
|
|
||||||
|
|
||||||
# ignore ssh-agent, only use specified keys (-i)
|
|
||||||
IdentitiesOnly yes
|
|
||||||
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
|
|
||||||
IdentityFile /dev/non/existent/file
|
|
||||||
|
|
||||||
# carry those vars to the other side (includes LC_BASTION)
|
|
||||||
SendEnv LANG LC_*
|
|
||||||
|
|
||||||
# allow usage of SSHFP DNS records
|
|
||||||
VerifyHostKeyDNS ask
|
|
||||||
|
|
||||||
# yell if remote hostkey changed
|
|
||||||
StrictHostKeyChecking ask
|
|
||||||
|
|
||||||
# === SYSTEM ===
|
|
||||||
|
|
||||||
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
|
|
||||||
HashKnownHosts no
|
|
||||||
|
|
||||||
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
|
|
||||||
ServerAliveInterval 57
|
|
||||||
ServerAliveCountMax 5
|
|
|
@ -1,142 +0,0 @@
|
||||||
# Hardened SSHD bastion config -- modify wisely!
|
|
||||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
|
||||||
# With additional restrictions where applicable
|
|
||||||
|
|
||||||
# -lo and -rt users only have local console login
|
|
||||||
DenyUsers *-rt
|
|
||||||
DenyUsers *-lo
|
|
||||||
|
|
||||||
# hardened params follow. every non-needed feature is disabled by default,
|
|
||||||
# following the principle of least rights and least features (more enabled
|
|
||||||
# features mean a more important attack surface).
|
|
||||||
|
|
||||||
# === FEATURES ===
|
|
||||||
|
|
||||||
# disable non-needed sshd features
|
|
||||||
AllowAgentForwarding no
|
|
||||||
AllowTcpForwarding no
|
|
||||||
AllowStreamLocalForwarding no
|
|
||||||
X11Forwarding no
|
|
||||||
PermitTunnel no
|
|
||||||
PermitUserEnvironment no
|
|
||||||
PermitUserRC no
|
|
||||||
GatewayPorts no
|
|
||||||
|
|
||||||
# === INFORMATION DISCLOSURE ===
|
|
||||||
|
|
||||||
# however, display a legal notice for each connection
|
|
||||||
Banner /etc/ssh/banner
|
|
||||||
|
|
||||||
# don't print the bastion MOTD on connection
|
|
||||||
PrintMotd no
|
|
||||||
|
|
||||||
# === CRYPTOGRAPHY ===
|
|
||||||
|
|
||||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
|
||||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
|
||||||
Protocol 2
|
|
||||||
|
|
||||||
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
|
|
||||||
# list of allowed ciphers.
|
|
||||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
|
||||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
|
||||||
# allow ctr cipher mode for compatibility (ctr is still considered secure)
|
|
||||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
||||||
|
|
||||||
# list of allowed message authentication code algorithms.
|
|
||||||
# etm (encrypt-then-mac) are considered the more secure, we
|
|
||||||
# prefer umac (has been proven secure) then sha2.
|
|
||||||
# for older ssh client, fallback to the non-etm version of
|
|
||||||
# the algorithms.
|
|
||||||
# we deny md5 and sha1
|
|
||||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
||||||
|
|
||||||
# List of allowed key exchange algorithms.
|
|
||||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
|
||||||
# and still allow diffie hellman with group exchange using sha256 which is
|
|
||||||
# the most secure dh-based kex.
|
|
||||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
|
||||||
# on sha1.
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
||||||
|
|
||||||
# force rekey every 512M of data or 6 hours of connection, whichever comes first
|
|
||||||
RekeyLimit 512M 6h
|
|
||||||
|
|
||||||
# === AUTHENTICATION ===
|
|
||||||
|
|
||||||
# we allow only public key authentication ...
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
# ... not password
|
|
||||||
PasswordAuthentication no
|
|
||||||
# ... keyboard interactive (needed for MFA through PAM)
|
|
||||||
KbdInteractiveAuthentication yes
|
|
||||||
# ... not kerberos
|
|
||||||
KerberosAuthentication no
|
|
||||||
# ... challenge-response (needed for MFA through PAM)
|
|
||||||
ChallengeResponseAuthentication yes
|
|
||||||
# ... not host-based
|
|
||||||
HostbasedAuthentication no
|
|
||||||
# ... and not gssapi auth.
|
|
||||||
GSSAPIAuthentication no
|
|
||||||
GSSAPIKeyExchange no
|
|
||||||
|
|
||||||
# just in case, we also explicitly deny empty passwords
|
|
||||||
PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
|
|
||||||
# which is not a security issue because the AuthenticationMethods below force the use of
|
|
||||||
# either publickey or publickey+keyboard-interactive, hence password-only login is never
|
|
||||||
# possible, for root or any other account for that matter
|
|
||||||
PermitRootLogin yes
|
|
||||||
|
|
||||||
# === LOGIN ===
|
|
||||||
|
|
||||||
# disconnect after 30 seconds if user didn't log in successfully
|
|
||||||
LoginGraceTime 30
|
|
||||||
|
|
||||||
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
|
|
||||||
MaxSessions 1
|
|
||||||
|
|
||||||
# maximum concurrent unauth connections to the sshd daemon
|
|
||||||
MaxStartups 50:30:500
|
|
||||||
|
|
||||||
# accept LANG and LC_* vars (also includes LC_BASTION)
|
|
||||||
AcceptEnv LANG LC_*
|
|
||||||
|
|
||||||
# === SYSTEM ===
|
|
||||||
|
|
||||||
# sshd log level at verbose in auth facility for auditing purposes
|
|
||||||
LogLevel VERBOSE
|
|
||||||
SyslogFacility AUTH
|
|
||||||
|
|
||||||
# check sanity of user HOME dir before allowing user to login
|
|
||||||
StrictModes yes
|
|
||||||
|
|
||||||
# never use dns (slows down connections)
|
|
||||||
UseDNS no
|
|
||||||
|
|
||||||
# use PAM facility
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
|
|
||||||
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
|
|
||||||
# on your system, uncomment the next two lines (see
|
|
||||||
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
|
|
||||||
#Match User root
|
|
||||||
# AuthenticationMethods publickey,keyboard-interactive:pam
|
|
||||||
# Unconditionally skip PAM auth for members of the bastion-nopam group
|
|
||||||
Match Group bastion-nopam
|
|
||||||
AuthenticationMethods publickey
|
|
||||||
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
|
|
||||||
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
|
|
||||||
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
|
|
||||||
# if in one of the mfa groups, use publickey AND pam
|
|
||||||
Match Group mfa-totp-configd,mfa-password-configd
|
|
||||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
|
||||||
# by default, always ask the publickey (no PAM)
|
|
||||||
Match All
|
|
||||||
AuthenticationMethods publickey
|
|
|
@ -1,146 +0,0 @@
|
||||||
# Hardened SSHD bastion config -- modify wisely!
|
|
||||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
|
||||||
# With additional restrictions where applicable
|
|
||||||
|
|
||||||
# -lo and -rt users only have local console login
|
|
||||||
DenyUsers *-rt
|
|
||||||
DenyUsers *-lo
|
|
||||||
|
|
||||||
# hardened params follow. every non-needed feature is disabled by default,
|
|
||||||
# following the principle of least rights and least features (more enabled
|
|
||||||
# features mean a more important attack surface).
|
|
||||||
|
|
||||||
# === FEATURES ===
|
|
||||||
|
|
||||||
# disable non-needed sshd features
|
|
||||||
AllowAgentForwarding no
|
|
||||||
AllowTcpForwarding no
|
|
||||||
AllowStreamLocalForwarding no
|
|
||||||
X11Forwarding no
|
|
||||||
PermitTunnel no
|
|
||||||
PermitUserEnvironment no
|
|
||||||
PermitUserRC no
|
|
||||||
GatewayPorts no
|
|
||||||
|
|
||||||
# === INFORMATION DISCLOSURE ===
|
|
||||||
|
|
||||||
# don't yell to the world that we're running debian,
|
|
||||||
# this disables the debian string version on the server hello message
|
|
||||||
DebianBanner no
|
|
||||||
|
|
||||||
# however, display a legal notice for each connection
|
|
||||||
Banner /etc/ssh/banner
|
|
||||||
|
|
||||||
# don't print the bastion MOTD on connection
|
|
||||||
PrintMotd no
|
|
||||||
|
|
||||||
# === CRYPTOGRAPHY ===
|
|
||||||
|
|
||||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
|
||||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
|
||||||
Protocol 2
|
|
||||||
|
|
||||||
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
|
|
||||||
# list of allowed ciphers.
|
|
||||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
|
||||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
|
||||||
# allow ctr cipher mode for compatibility (ctr is still considered secure)
|
|
||||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
||||||
|
|
||||||
# list of allowed message authentication code algorithms.
|
|
||||||
# etm (encrypt-then-mac) are considered the more secure, we
|
|
||||||
# prefer umac (has been proven secure) then sha2.
|
|
||||||
# for older ssh client, fallback to the non-etm version of
|
|
||||||
# the algorithms.
|
|
||||||
# we deny md5 and sha1
|
|
||||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
||||||
|
|
||||||
# List of allowed key exchange algorithms.
|
|
||||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
|
||||||
# and still allow diffie hellman with group exchange using sha256 which is
|
|
||||||
# the most secure dh-based kex.
|
|
||||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
|
||||||
# on sha1.
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
||||||
|
|
||||||
# force rekey every 512M of data or 6 hours of connection, whichever comes first
|
|
||||||
RekeyLimit 512M 6h
|
|
||||||
|
|
||||||
# === AUTHENTICATION ===
|
|
||||||
|
|
||||||
# we allow only public key authentication ...
|
|
||||||
PubkeyAuthentication yes
|
|
||||||
# ... not password
|
|
||||||
PasswordAuthentication no
|
|
||||||
# ... keyboard interactive (needed for MFA through PAM)
|
|
||||||
KbdInteractiveAuthentication yes
|
|
||||||
# ... not kerberos
|
|
||||||
KerberosAuthentication no
|
|
||||||
# ... challenge-response (needed for MFA through PAM)
|
|
||||||
ChallengeResponseAuthentication yes
|
|
||||||
# ... not host-based
|
|
||||||
HostbasedAuthentication no
|
|
||||||
# ... and not gssapi auth.
|
|
||||||
GSSAPIAuthentication no
|
|
||||||
GSSAPIKeyExchange no
|
|
||||||
|
|
||||||
# just in case, we also explicitly deny empty passwords
|
|
||||||
PermitEmptyPasswords no
|
|
||||||
|
|
||||||
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
|
|
||||||
# which is not a security issue because the AuthenticationMethods below force the use of
|
|
||||||
# either publickey or publickey+keyboard-interactive, hence password-only login is never
|
|
||||||
# possible, for root or any other account for that matter
|
|
||||||
PermitRootLogin yes
|
|
||||||
|
|
||||||
# === LOGIN ===
|
|
||||||
|
|
||||||
# disconnect after 30 seconds if user didn't log in successfully
|
|
||||||
LoginGraceTime 30
|
|
||||||
|
|
||||||
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
|
|
||||||
MaxSessions 1
|
|
||||||
|
|
||||||
# maximum concurrent unauth connections to the sshd daemon
|
|
||||||
MaxStartups 50:30:500
|
|
||||||
|
|
||||||
# accept LANG and LC_* vars (also includes LC_BASTION)
|
|
||||||
AcceptEnv LANG LC_*
|
|
||||||
|
|
||||||
# === SYSTEM ===
|
|
||||||
|
|
||||||
# sshd log level at verbose in auth facility for auditing purposes
|
|
||||||
LogLevel VERBOSE
|
|
||||||
SyslogFacility AUTH
|
|
||||||
|
|
||||||
# check sanity of user HOME dir before allowing user to login
|
|
||||||
StrictModes yes
|
|
||||||
|
|
||||||
# never use dns (slows down connections)
|
|
||||||
UseDNS no
|
|
||||||
|
|
||||||
# use PAM facility
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
|
|
||||||
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
|
|
||||||
# on your system, uncomment the next two lines (see
|
|
||||||
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
|
|
||||||
#Match User root
|
|
||||||
# AuthenticationMethods publickey,keyboard-interactive:pam
|
|
||||||
# Unconditionally skip PAM auth for members of the bastion-nopam group
|
|
||||||
Match Group bastion-nopam
|
|
||||||
AuthenticationMethods publickey
|
|
||||||
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
|
|
||||||
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
|
|
||||||
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
|
|
||||||
# if in one of the mfa groups, use publickey AND pam
|
|
||||||
Match Group mfa-totp-configd,mfa-password-configd
|
|
||||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
|
||||||
# by default, always ask the publickey (no PAM)
|
|
||||||
Match All
|
|
||||||
AuthenticationMethods publickey
|
|
Loading…
Reference in a new issue