forked from willshersystems/ansible-sshd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Gentoo.yml
32 lines (32 loc) · 1.21 KB
/
Gentoo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
__sshd_packages:
- net-misc/openssh
__sshd_sftp_server: /usr/lib64/misc/sftp-server
__sshd_defaults:
Subsystem: "sftp {{ __sshd_sftp_server }}"
# Replace tcp keepalive with unspoofable keepalive
TCPKeepAlive: false
ClientAliveInterval: 300
ClientAliveCountMax: 2
# Secure cipher and algorithm settings
HostKey:
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,[email protected]"
KexAlgorithms: "[email protected],diffie-hellman-group-exchange-sha256"
MACs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
AuthorizedKeysFile: .ssh/authorized_keys
# Security settings
PasswordAuthentication: false
ChallengeResponseAuthentication: false
PermitRootLogin: false
# Login settings
UsePAM: true
PrintMotd: false
PrintLastLog: true
# Disable most forwarding types for more security
AllowAgentForwarding: false
AllowTcpForwarding: false
AllowStreamLocalForwarding: false
__sshd_os_supported: true