RiFi2k · December 28, 2016 23:43 · broskees · May 16, 2018
diff --git a/ssh-hardening-defaults.yml b/ssh-hardening-defaults.yml
 # Documentation: https://roots.io/trellis/docs/security/
 # Which components to generate the configuration files for.
 # If remote machine doesn't have an SSH server then change the ssh_client_hardening to false.
 ssh_client_hardening: true              # SSH
 ssh_server_hardening: true              # SSHD

 # Set to true if CBC for ciphers is required.
 ssh_client_cbc_required: false          # SSH
 ssh_server_cbc_required: false          # SSHD

 # Set to true if weaker HMAC mechanisms are required.
 ssh_client_weak_hmac: false             # SSH
 ssh_server_weak_hmac: false             # SSHD

 # Set to true if weaker Key-Exchange (KEX) mechanisms are required.
 ssh_client_weak_kex: false              # SSH
 ssh_server_weak_kex: false              # SSHD

 # Set to true to allow logins with passwords.
 ssh_client_password_login: false        # SSH
 ssh_server_password_login: false        # SSHD

 network_ipv6_enable: false              # SSHD + SSH

 # Port to which ssh-client should connect.
 ssh_client_port: 22                     # SSH

 # Ports on which ssh-server should listen.
 ssh_server_ports:                       # SSHD
    - 22

 # IP addresses which ssh-server should listen to, configure for extra security.
 ssh_listen_to:                          # SSHD
    - 0.0.0.0

 # Host keys to look for when starting SSHD.
 ssh_host_key_files:                     # SSHD
    - /etc/ssh/ssh_host_ed25519_key
    - /etc/ssh/ssh_host_rsa_key

 # Specifies the host key algorithms that the client wants to use, in order of preference.
 ssh_host_key_algorithms:                # SSH
  - [email protected]
  - [email protected]
  - ssh-ed25519
  - ssh-rsa

 # Specifies the maximum number of authentication attempts permitted per connection.
 # Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 6

 ssh_client_alive_interval: 600          # SSHD
 ssh_client_alive_count: 3               # SSHD

 # Example hosts with custom options.
 # ssh_remote_hosts:
 #   - names:
 #         - example.com
 #         - example2.com
 #     options:
 #         - Port 2222
 #         - ForwardAgent yes
 #   - names:
 #         - example3.com
 #     options:
 #         - StrictHostKeyChecking no
 ssh_remote_hosts: []                     # SSH

 # Set to true to allow root to login via key-based mechanism.
 ssh_allow_root_with_key: false           # SSHD

 # Set to true to allow TCP Forwarding.
 ssh_allow_tcp_forwarding: false          # SSHD

 # Set to false to disable Agent Forwarding.
 ssh_allow_agent_forwarding: true         # SSHD

 # PAM authentication enabled to avoid Debian bug with openssh-server.
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636
 # can change to `false` once Canonical Main repository includes openssh 1:7.2p2-6
 ssh_use_pam: true                        # SSHD

 # Login is disallowed for user names that match one of the patterns.
 ssh_deny_users: []                       # SSHD

 # Login is allowed only for user names that match one of the patterns.
 ssh_allow_users: []                      # SSHD

 # Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
 ssh_deny_groups: []                      # SSHD

 # Login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
 ssh_allow_groups: []                     # SSHD

 # Set to true to enable printing of the MOTD.
 ssh_print_motd: false                    # SSHD

 # Set to true to display last login information.
 ssh_print_last_log: false                # SSHD

 # Set to true to display /etc/ssh/banner.txt before authentication is allowed.
 ssh_banner: false                        # SSHD

 # Set to false to disable distribution version leakage during initial protocol handshake.
 ssh_print_debian_banner: false           # SSHD

 ssh_send_env: ''                         # SSH
 ssh_accept_env: ''                       # SSHD

 # Set to true to enable SFTP configuration.
 sftp_enabled: false

 # Change default SFTP chroot location.
 sftp_chroot_dir: /home/%u

 # Enable experimental client roaming.
 ssh_client_roaming: false

 use_privilege_separation: "sandbox"       # SSHD

 ssh_macs_default:
  - [email protected]
  - [email protected]
  - [email protected]
  - [email protected]
  - hmac-sha2-512
  - hmac-sha2-256
  - hmac-ripemd160

 ssh_macs_weak: "{{ ssh_macs_default + ['[email protected]','hmac-sha1'] }}"

 ssh_ciphers_default:
  - [email protected]
  - [email protected]
  - [email protected]
  - aes256-ctr
  - aes192-ctr
  - aes128-ctr

 ssh_ciphers_weak: "{{ ssh_ciphers_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

 ssh_kex_default:
  - [email protected]
  - diffie-hellman-group-exchange-sha256

 ssh_kex_weak: "{{ ssh_kex_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"
	# Documentation: https://roots.io/trellis/docs/security/
	# Which components to generate the configuration files for.
	# If remote machine doesn't have an SSH server then change the ssh_client_hardening to false.
	ssh_client_hardening: true # SSH
	ssh_server_hardening: true # SSHD

	# Set to true if CBC for ciphers is required.
	ssh_client_cbc_required: false # SSH
	ssh_server_cbc_required: false # SSHD

	# Set to true if weaker HMAC mechanisms are required.
	ssh_client_weak_hmac: false # SSH
	ssh_server_weak_hmac: false # SSHD

	# Set to true if weaker Key-Exchange (KEX) mechanisms are required.
	ssh_client_weak_kex: false # SSH
	ssh_server_weak_kex: false # SSHD

	# Set to true to allow logins with passwords.
	ssh_client_password_login: false # SSH
	ssh_server_password_login: false # SSHD

	network_ipv6_enable: false # SSHD + SSH

	# Port to which ssh-client should connect.
	ssh_client_port: 22 # SSH

	# Ports on which ssh-server should listen.
	ssh_server_ports: # SSHD
	- 22

	# IP addresses which ssh-server should listen to, configure for extra security.
	ssh_listen_to: # SSHD
	- 0.0.0.0

	# Host keys to look for when starting SSHD.
	ssh_host_key_files: # SSHD
	- /etc/ssh/ssh_host_ed25519_key
	- /etc/ssh/ssh_host_rsa_key

	# Specifies the host key algorithms that the client wants to use, in order of preference.
	ssh_host_key_algorithms: # SSH
	- [email protected]
	- [email protected]
	- ssh-ed25519
	- ssh-rsa

	# Specifies the maximum number of authentication attempts permitted per connection.
	# Once the number of failures reaches half this value, additional failures are logged.
	ssh_max_auth_retries: 6

	ssh_client_alive_interval: 600 # SSHD
	ssh_client_alive_count: 3 # SSHD

	# Example hosts with custom options.
	# ssh_remote_hosts:
	# - names:
	# - example.com
	# - example2.com
	# options:
	# - Port 2222
	# - ForwardAgent yes
	# - names:
	# - example3.com
	# options:
	# - StrictHostKeyChecking no
	ssh_remote_hosts: [] # SSH

	# Set to true to allow root to login via key-based mechanism.
	ssh_allow_root_with_key: false # SSHD

	# Set to true to allow TCP Forwarding.
	ssh_allow_tcp_forwarding: false # SSHD

	# Set to false to disable Agent Forwarding.
	ssh_allow_agent_forwarding: true # SSHD

	# PAM authentication enabled to avoid Debian bug with openssh-server.
	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636
	# can change to `false` once Canonical Main repository includes openssh 1:7.2p2-6
	ssh_use_pam: true # SSHD

	# Login is disallowed for user names that match one of the patterns.
	ssh_deny_users: [] # SSHD

	# Login is allowed only for user names that match one of the patterns.
	ssh_allow_users: [] # SSHD

	# Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
	ssh_deny_groups: [] # SSHD

	# Login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
	ssh_allow_groups: [] # SSHD

	# Set to true to enable printing of the MOTD.
	ssh_print_motd: false # SSHD

	# Set to true to display last login information.
	ssh_print_last_log: false # SSHD

	# Set to true to display /etc/ssh/banner.txt before authentication is allowed.
	ssh_banner: false # SSHD

	# Set to false to disable distribution version leakage during initial protocol handshake.
	ssh_print_debian_banner: false # SSHD

	ssh_send_env: '' # SSH
	ssh_accept_env: '' # SSHD

	# Set to true to enable SFTP configuration.
	sftp_enabled: false

	# Change default SFTP chroot location.
	sftp_chroot_dir: /home/%u

	# Enable experimental client roaming.
	ssh_client_roaming: false

	use_privilege_separation: "sandbox" # SSHD

	ssh_macs_default:
	- [email protected]
	- [email protected]
	- [email protected]
	- [email protected]
	- hmac-sha2-512
	- hmac-sha2-256
	- hmac-ripemd160

	ssh_macs_weak: "{{ ssh_macs_default + ['[email protected]','hmac-sha1'] }}"

	ssh_ciphers_default:
	- [email protected]
	- [email protected]
	- [email protected]
	- aes256-ctr
	- aes192-ctr
	- aes128-ctr

	ssh_ciphers_weak: "{{ ssh_ciphers_default + ['aes256-cbc', 'aes192-cbc', 'aes128-cbc'] }}"

	ssh_kex_default:
	- [email protected]
	- diffie-hellman-group-exchange-sha256

	ssh_kex_weak: "{{ ssh_kex_default + ['diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group1-sha1'] }}"