Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This file is managed by Puppet #
- #
- # CIS 6.2.1 Set SSH Protocol to 2
- Protocol 2
- # CIS 6.2.2 Set LogLevel to INFO
- LogLevel DEBUG
- HostKey /etc/ssh/ssh_host_rsa_key
- HostKey /etc/ssh/ssh_host_ecdsa_key
- HostKey /etc/ssh/ssh_host_ed25519_key
- SyslogFacility AUTHPRIV
- AuthorizedKeysFile ~/.ssh/authorized_keys
- PasswordAuthentication no
- #ChallengeResponseAuthentication yes
- #GSSAPIAuthentication yes
- GSSAPICleanupCredentials yes
- #UsePAM yes
- UseDNS yes
- #PubkeyAuthentication yes
- # CIS 6.2.4 Disable SSH X11 Forwarding
- X11Forwarding no
- # CIS 6.2.5 Set MaxAuthTries to 4 or Less
- MaxAuthTries 4
- # CIS 6.2.6 Set SSH IgnoreRhosts to Yes
- IgnoreRhosts yes
- # CIS 6.2.7 Set SSH HostbasedAuthentication to No
- HostbasedAuthentication no
- # CIS 6.2.8 Disable SSH Root Login
- PermitRootLogin no
- # CIS 6.2.9 Set SSH PermitEmptyPasswords to No
- PermitEmptyPasswords no
- # CIS 6.2.10 Do not allow users to set environment options
- PermitUserEnvironment no
- # CIS 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less
- LoginGraceTime 60
- UsePrivilegeSeparation sandbox # Default for new installations.
- #AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- #AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- #AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
- #AcceptEnv XMODIFIERS
- # CIS 6.2.11 Use Only Approved Cipher in Counter Mode
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr
- # CIS 6.2.12 Set Idle Timeout Interval for User Login
- ClientAliveInterval 900
- ClientAliveCountMax 0
- # CIS 6.2.13 Limit Access via SSH
- # Limiting access is handled by freeipa
- # CIS 6.2.14 Set SSH Banner
- Banner /etc/issue.net
- Subsystem sftp /usr/libexec/openssh/sftp-server
- KerberosAuthentication no
- PubkeyAuthentication yes
- AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
- GSSAPIAuthentication yes
- ChallengeResponseAuthentication yes
- AuthorizedKeysCommandUser nobody
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement