SHARE
TWEET

sshd

a guest Jan 24th, 2020 78 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # This file is managed by Puppet #
  2. #
  3. # CIS 6.2.1 Set SSH Protocol to 2
  4. Protocol 2
  5. # CIS 6.2.2 Set LogLevel to INFO
  6. LogLevel DEBUG
  7. HostKey /etc/ssh/ssh_host_rsa_key
  8. HostKey /etc/ssh/ssh_host_ecdsa_key
  9. HostKey /etc/ssh/ssh_host_ed25519_key
  10. SyslogFacility AUTHPRIV
  11. AuthorizedKeysFile ~/.ssh/authorized_keys
  12. PasswordAuthentication no
  13. #ChallengeResponseAuthentication yes
  14. #GSSAPIAuthentication yes
  15. GSSAPICleanupCredentials yes
  16. #UsePAM yes
  17. UseDNS yes
  18. #PubkeyAuthentication yes
  19.  
  20.  
  21. # CIS 6.2.4 Disable SSH X11 Forwarding
  22. X11Forwarding no
  23. # CIS 6.2.5 Set MaxAuthTries to 4 or Less
  24. MaxAuthTries 4
  25. # CIS 6.2.6 Set SSH IgnoreRhosts to Yes
  26. IgnoreRhosts yes
  27. # CIS 6.2.7 Set SSH HostbasedAuthentication to No
  28. HostbasedAuthentication no
  29. # CIS 6.2.8 Disable SSH Root Login
  30. PermitRootLogin no
  31. # CIS 6.2.9 Set SSH PermitEmptyPasswords to No
  32. PermitEmptyPasswords no
  33. # CIS 6.2.10 Do not allow users to set environment options
  34. PermitUserEnvironment no
  35. # CIS 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less
  36. LoginGraceTime 60
  37. UsePrivilegeSeparation sandbox      # Default for new installations.
  38. #AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
  39. #AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  40. #AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
  41. #AcceptEnv XMODIFIERS
  42. # CIS 6.2.11 Use Only Approved Cipher in Counter Mode
  43. Ciphers aes128-ctr,aes192-ctr,aes256-ctr
  44. # CIS 6.2.12 Set Idle Timeout Interval for User Login
  45. ClientAliveInterval 900
  46. ClientAliveCountMax 0
  47. # CIS 6.2.13 Limit Access via SSH
  48. # Limiting access is handled by freeipa
  49. # CIS 6.2.14 Set SSH Banner
  50.  
  51. Banner /etc/issue.net
  52.  
  53. Subsystem sftp  /usr/libexec/openssh/sftp-server
  54.  
  55. KerberosAuthentication no
  56. PubkeyAuthentication yes
  57. AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
  58. GSSAPIAuthentication yes
  59. ChallengeResponseAuthentication yes
  60. AuthorizedKeysCommandUser nobody
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top