From bc249cbc48aa8f9292bb63238c2884c55537858c Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Tue, 5 Nov 2019 16:02:18 +0100 Subject: [PATCH] Update ssh config with the latest directives --- etc/ssh/sshd_config | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index f0a51f5..b53b2e2 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -10,7 +10,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin without-password # Allow ssh access to some users only -AllowUsers root ubuntu +AllowUsers root ubuntu debian # allow ssh key Authentication PubkeyAuthentication yes @@ -33,8 +33,11 @@ X11Forwarding yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* -# override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE + +# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO # Host keys the client accepts - order here is honored by OpenSSH HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 @@ -43,3 +46,7 @@ HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com, KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# Use kernel sandbox mechanisms where possible in unprivileged processes +# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. +UsePrivilegeSeparation sandbox