mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 06:55:58 +08:00
chg: remove support for EOL CentOS 7
This commit is contained in:
parent
560598b447
commit
914d8b30b4
2
.github/workflows/tests.yml
vendored
2
.github/workflows/tests.yml
vendored
|
@ -38,7 +38,7 @@ jobs:
|
|||
name: Full
|
||||
strategy:
|
||||
matrix:
|
||||
platform: [centos7, rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204]
|
||||
platform: [rockylinux8, rockylinux9, debian10, debian11, debian12, 'opensuse15@opensuse/leap:15.5', ubuntu1604, ubuntu1804, ubuntu2004, ubuntu2204]
|
||||
runs-on: ubuntu-latest
|
||||
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
|
||||
steps:
|
||||
|
|
|
@ -73,7 +73,6 @@ Also don't forget to customize your `bastion.conf` file, which can be found in `
|
|||
Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||
|
||||
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
||||
- CentOS 7.x
|
||||
- RockyLinux 8.x, 9.x
|
||||
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
||||
- OpenSUSE Leap 15.5\*
|
||||
|
|
|
@ -275,9 +275,7 @@ if [ "${opt[modify-ssh-config]}" = 1 ] || [ "${opt[modify-sshd-config]}" = 1 ] ;
|
|||
filesuffix=$short_suffix_name
|
||||
elif [ "$OS_FAMILY" = Linux ]; then
|
||||
if [ "$LINUX_DISTRO" = ubuntu ]; then
|
||||
if [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then
|
||||
filesuffix=debian9
|
||||
elif [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
|
||||
if [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
|
||||
filesuffix=debian10
|
||||
elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then
|
||||
filesuffix=debian11
|
||||
|
@ -1235,7 +1233,10 @@ fi
|
|||
if [ "${opt[modify-pam-lastlog]}" = 1 ]; then
|
||||
# pam.d lastlogin
|
||||
action_doing "Adjust lastlog in pam.d/sshd if applicable"
|
||||
if [ -e "$PAM_SSHD" ] ; then
|
||||
# don't do it for Ubuntu 24.04, as they removed pam_lastlog.so entirely
|
||||
if [ "$LINUX_DISTRO" = ubuntu ] && [ "$DISTRO_VERSION_MAJOR" -ge 24 ]; then
|
||||
action_na "Not supported under $LINUX_DISTRO $DISTRO_VERSION_MAJOR"
|
||||
elif [ -e "$PAM_SSHD" ] ; then
|
||||
if ! grep -Eq '^\s*session\s+optional\s+pam_lastlog.so' "$PAM_SSHD" ; then
|
||||
action_detail "missing lastlog config in file, adjusting"
|
||||
# shellcheck disable=SC1004
|
||||
|
|
|
@ -33,7 +33,6 @@ The following Linux distros are tested with each release, but as this is a secur
|
|||
you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS:
|
||||
|
||||
- Debian 12 (Bookworm), 11 (Bullseye), 10 (Buster)
|
||||
- CentOS 7.x
|
||||
- RockyLinux 8.x, 9.x
|
||||
- Ubuntu LTS 22.04, 20.04, 18.04, 16.04
|
||||
- OpenSUSE Leap 15.5\*
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
FROM centos:7
|
||||
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
|
||||
|
||||
# cache builds efficiently: just copy the scripts to install packages first
|
||||
COPY bin/admin/install-ttyrec.sh \
|
||||
bin/admin/install-yubico-piv-checker.sh \
|
||||
bin/admin/install-mkhash-helper.sh \
|
||||
bin/admin/packages-check.sh \
|
||||
/opt/bastion/bin/admin/
|
||||
COPY lib/shell /opt/bastion/lib/shell/
|
||||
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
|
||||
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
|
||||
RUN ["/opt/bastion/bin/admin/install-mkhash-helper.sh","-r"]
|
||||
|
||||
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
|
||||
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
|
||||
sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
|
||||
|
||||
# at each modification of our code, we'll start from here thanks to build cache
|
||||
COPY . /opt/bastion
|
||||
|
||||
# tests that the environment works
|
||||
RUN ["/opt/bastion/bin/dev/perl-check.sh"]
|
||||
|
||||
# setup ssh/sshd config and setup bastion install
|
||||
RUN ["/opt/bastion/bin/admin/install","--new-install"]
|
||||
|
||||
# start at entrypoint
|
||||
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
|
||||
|
||||
# TESTOPT --has-mfa=1 --has-pamtester=1 --has-piv=1
|
|
@ -1,115 +0,0 @@
|
|||
# Hardened SSH bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With modifications where applicable/needed
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
Tunnel no
|
||||
ForwardAgent no
|
||||
ForwardX11 no
|
||||
GatewayPorts no
|
||||
ControlMaster no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
|
||||
# known gotchas:
|
||||
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
|
||||
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older remote servers, fallback to the non-etm version of
|
||||
# the algorithms. we deny md5 entirely.
|
||||
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
|
||||
# Known gotchas:
|
||||
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
# known gotchas:
|
||||
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
|
||||
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
|
||||
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password nor keyboard-interactive
|
||||
# ... (set to yes if sshpass is to be used)
|
||||
PasswordAuthentication no
|
||||
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
|
||||
ChallengeResponseAuthentication yes
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
# ... and not gssapi auth.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIKeyExchange no
|
||||
GSSAPIDelegateCredentials no
|
||||
# now we specify the auth methods order we want for manual ssh calls.
|
||||
# NOTE1: as per the ssh source code, an auth method omitted hereafter
|
||||
# will not be used, even if set to "yes" above.
|
||||
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
|
||||
# value explicitly on command-line (pubkey OR sshpass), so the value
|
||||
# specified hereafter will be ignored. if you want to force-disable
|
||||
# a method, set it to "no" in the list above, as those will never be
|
||||
# overridden by the code.
|
||||
PreferredAuthentications publickey,keyboard-interactive
|
||||
|
||||
# === LOGIN ###
|
||||
|
||||
# disable escape character use
|
||||
EscapeChar none
|
||||
|
||||
# detect if a hostkey changed due to DNS spoofing
|
||||
CheckHostIP yes
|
||||
|
||||
# ignore ssh-agent, only use specified keys (-i)
|
||||
IdentitiesOnly yes
|
||||
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
|
||||
IdentityFile /dev/non/existent/file
|
||||
|
||||
# carry those vars to the other side (includes LC_BASTION)
|
||||
SendEnv LANG LC_*
|
||||
|
||||
# allow usage of SSHFP DNS records
|
||||
VerifyHostKeyDNS ask
|
||||
|
||||
# yell if remote hostkey changed
|
||||
StrictHostKeyChecking ask
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
|
||||
HashKnownHosts no
|
||||
|
||||
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
|
||||
ServerAliveInterval 57
|
||||
ServerAliveCountMax 5
|
|
@ -1,115 +0,0 @@
|
|||
# Hardened SSH bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With modifications where applicable/needed
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
Tunnel no
|
||||
ForwardAgent no
|
||||
ForwardX11 no
|
||||
GatewayPorts no
|
||||
ControlMaster no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
|
||||
# known gotchas:
|
||||
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
|
||||
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older remote servers, fallback to the non-etm version of
|
||||
# the algorithms. we deny md5 entirely.
|
||||
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
|
||||
# Known gotchas:
|
||||
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
# known gotchas:
|
||||
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
|
||||
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
|
||||
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password nor keyboard-interactive
|
||||
# ... (set to yes if sshpass is to be used)
|
||||
PasswordAuthentication no
|
||||
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
|
||||
ChallengeResponseAuthentication yes
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
# ... and not gssapi auth.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIKeyExchange no
|
||||
GSSAPIDelegateCredentials no
|
||||
# now we specify the auth methods order we want for manual ssh calls.
|
||||
# NOTE1: as per the ssh source code, an auth method omitted hereafter
|
||||
# will not be used, even if set to "yes" above.
|
||||
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
|
||||
# value explicitly on command-line (pubkey OR sshpass), so the value
|
||||
# specified hereafter will be ignored. if you want to force-disable
|
||||
# a method, set it to "no" in the list above, as those will never be
|
||||
# overridden by the code.
|
||||
PreferredAuthentications publickey,keyboard-interactive
|
||||
|
||||
# === LOGIN ###
|
||||
|
||||
# disable escape character use
|
||||
EscapeChar none
|
||||
|
||||
# detect if a hostkey changed due to DNS spoofing
|
||||
CheckHostIP yes
|
||||
|
||||
# ignore ssh-agent, only use specified keys (-i)
|
||||
IdentitiesOnly yes
|
||||
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
|
||||
IdentityFile /dev/non/existent/file
|
||||
|
||||
# carry those vars to the other side (includes LC_BASTION)
|
||||
SendEnv LANG LC_*
|
||||
|
||||
# allow usage of SSHFP DNS records
|
||||
VerifyHostKeyDNS ask
|
||||
|
||||
# yell if remote hostkey changed
|
||||
StrictHostKeyChecking ask
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
|
||||
HashKnownHosts no
|
||||
|
||||
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
|
||||
ServerAliveInterval 57
|
||||
ServerAliveCountMax 5
|
|
@ -1,142 +0,0 @@
|
|||
# Hardened SSHD bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With additional restrictions where applicable
|
||||
|
||||
# -lo and -rt users only have local console login
|
||||
DenyUsers *-rt
|
||||
DenyUsers *-lo
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
X11Forwarding no
|
||||
PermitTunnel no
|
||||
PermitUserEnvironment no
|
||||
PermitUserRC no
|
||||
GatewayPorts no
|
||||
|
||||
# === INFORMATION DISCLOSURE ===
|
||||
|
||||
# however, display a legal notice for each connection
|
||||
Banner /etc/ssh/banner
|
||||
|
||||
# don't print the bastion MOTD on connection
|
||||
PrintMotd no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is still considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older ssh client, fallback to the non-etm version of
|
||||
# the algorithms.
|
||||
# we deny md5 and sha1
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# force rekey every 512M of data or 6 hours of connection, whichever comes first
|
||||
RekeyLimit 512M 6h
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password
|
||||
PasswordAuthentication no
|
||||
# ... keyboard interactive (needed for MFA through PAM)
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not kerberos
|
||||
KerberosAuthentication no
|
||||
# ... challenge-response (needed for MFA through PAM)
|
||||
ChallengeResponseAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
# ... and not gssapi auth.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIKeyExchange no
|
||||
|
||||
# just in case, we also explicitly deny empty passwords
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
|
||||
# which is not a security issue because the AuthenticationMethods below force the use of
|
||||
# either publickey or publickey+keyboard-interactive, hence password-only login is never
|
||||
# possible, for root or any other account for that matter
|
||||
PermitRootLogin yes
|
||||
|
||||
# === LOGIN ===
|
||||
|
||||
# disconnect after 30 seconds if user didn't log in successfully
|
||||
LoginGraceTime 30
|
||||
|
||||
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
|
||||
MaxSessions 1
|
||||
|
||||
# maximum concurrent unauth connections to the sshd daemon
|
||||
MaxStartups 50:30:500
|
||||
|
||||
# accept LANG and LC_* vars (also includes LC_BASTION)
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# sshd log level at verbose in auth facility for auditing purposes
|
||||
LogLevel VERBOSE
|
||||
SyslogFacility AUTH
|
||||
|
||||
# check sanity of user HOME dir before allowing user to login
|
||||
StrictModes yes
|
||||
|
||||
# never use dns (slows down connections)
|
||||
UseDNS no
|
||||
|
||||
# use PAM facility
|
||||
UsePAM yes
|
||||
|
||||
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
|
||||
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
|
||||
# on your system, uncomment the next two lines (see
|
||||
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
|
||||
#Match User root
|
||||
# AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# Unconditionally skip PAM auth for members of the bastion-nopam group
|
||||
Match Group bastion-nopam
|
||||
AuthenticationMethods publickey
|
||||
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
|
||||
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
|
||||
# if in one of the mfa groups, use publickey AND pam
|
||||
Match Group mfa-totp-configd,mfa-password-configd
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# by default, always ask the publickey (no PAM)
|
||||
Match All
|
||||
AuthenticationMethods publickey
|
|
@ -1,146 +0,0 @@
|
|||
# Hardened SSHD bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With additional restrictions where applicable
|
||||
|
||||
# -lo and -rt users only have local console login
|
||||
DenyUsers *-rt
|
||||
DenyUsers *-lo
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
X11Forwarding no
|
||||
PermitTunnel no
|
||||
PermitUserEnvironment no
|
||||
PermitUserRC no
|
||||
GatewayPorts no
|
||||
|
||||
# === INFORMATION DISCLOSURE ===
|
||||
|
||||
# don't yell to the world that we're running debian,
|
||||
# this disables the debian string version on the server hello message
|
||||
DebianBanner no
|
||||
|
||||
# however, display a legal notice for each connection
|
||||
Banner /etc/ssh/banner
|
||||
|
||||
# don't print the bastion MOTD on connection
|
||||
PrintMotd no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is still considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older ssh client, fallback to the non-etm version of
|
||||
# the algorithms.
|
||||
# we deny md5 and sha1
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# force rekey every 512M of data or 6 hours of connection, whichever comes first
|
||||
RekeyLimit 512M 6h
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password
|
||||
PasswordAuthentication no
|
||||
# ... keyboard interactive (needed for MFA through PAM)
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not kerberos
|
||||
KerberosAuthentication no
|
||||
# ... challenge-response (needed for MFA through PAM)
|
||||
ChallengeResponseAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
# ... and not gssapi auth.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIKeyExchange no
|
||||
|
||||
# just in case, we also explicitly deny empty passwords
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
|
||||
# which is not a security issue because the AuthenticationMethods below force the use of
|
||||
# either publickey or publickey+keyboard-interactive, hence password-only login is never
|
||||
# possible, for root or any other account for that matter
|
||||
PermitRootLogin yes
|
||||
|
||||
# === LOGIN ===
|
||||
|
||||
# disconnect after 30 seconds if user didn't log in successfully
|
||||
LoginGraceTime 30
|
||||
|
||||
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
|
||||
MaxSessions 1
|
||||
|
||||
# maximum concurrent unauth connections to the sshd daemon
|
||||
MaxStartups 50:30:500
|
||||
|
||||
# accept LANG and LC_* vars (also includes LC_BASTION)
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# sshd log level at verbose in auth facility for auditing purposes
|
||||
LogLevel VERBOSE
|
||||
SyslogFacility AUTH
|
||||
|
||||
# check sanity of user HOME dir before allowing user to login
|
||||
StrictModes yes
|
||||
|
||||
# never use dns (slows down connections)
|
||||
UseDNS no
|
||||
|
||||
# use PAM facility
|
||||
UsePAM yes
|
||||
|
||||
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
|
||||
# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
|
||||
# on your system, uncomment the next two lines (see
|
||||
# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
|
||||
#Match User root
|
||||
# AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# Unconditionally skip PAM auth for members of the bastion-nopam group
|
||||
Match Group bastion-nopam
|
||||
AuthenticationMethods publickey
|
||||
# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
|
||||
Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
|
||||
# if in one of the mfa groups, use publickey AND pam
|
||||
Match Group mfa-totp-configd,mfa-password-configd
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# by default, always ask the publickey (no PAM)
|
||||
Match All
|
||||
AuthenticationMethods publickey
|
Loading…
Reference in a new issue