sshd

# This file is managed by Puppet #
#
# CIS 6.2.1 Set SSH Protocol to 2
Protocol 2
# CIS 6.2.2 Set LogLevel to INFO
LogLevel DEBUG
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile ~/.ssh/authorized_keys
PasswordAuthentication no
#ChallengeResponseAuthentication yes
#GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#UsePAM yes
UseDNS yes
#PubkeyAuthentication yes


# CIS 6.2.4 Disable SSH X11 Forwarding
X11Forwarding no
# CIS 6.2.5 Set MaxAuthTries to 4 or Less
MaxAuthTries 4
# CIS 6.2.6 Set SSH IgnoreRhosts to Yes
IgnoreRhosts yes
# CIS 6.2.7 Set SSH HostbasedAuthentication to No
HostbasedAuthentication no
# CIS 6.2.8 Disable SSH Root Login
PermitRootLogin no
# CIS 6.2.9 Set SSH PermitEmptyPasswords to No
PermitEmptyPasswords no
# CIS 6.2.10 Do not allow users to set environment options
PermitUserEnvironment no
# CIS 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less
LoginGraceTime 60
UsePrivilegeSeparation sandbox		# Default for new installations.
#AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
#AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
#AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
#AcceptEnv XMODIFIERS
# CIS 6.2.11 Use Only Approved Cipher in Counter Mode
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
# CIS 6.2.12 Set Idle Timeout Interval for User Login
ClientAliveInterval 900
ClientAliveCountMax 0
# CIS 6.2.13 Limit Access via SSH
# Limiting access is handled by freeipa
# CIS 6.2.14 Set SSH Banner

Banner /etc/issue.net

Subsystem sftp  /usr/libexec/openssh/sftp-server

KerberosAuthentication no
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody