-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the ansible-role-ssh wiki!
Please find here follow up informations found worthy to keep during the investigation work when building this role. In short, find answers on questions like "Why are things as they are?".
In newer version of EL and Ubuntu, the MOTD feature is covered by PAM, see
/etc/pam.d/sshd. Therefore you just have to add content to /etc/motd. If you
happen to set the PrintMotd option to yes, the MOTD is printed twice.
If you are on an older OS (and you actually should not!), then you have to turn
this on by setting it to yes.
Dealing with those crypto policies across multiple distros seems quite hard at first, but in the end, it's always the same OpenSSH serve underneath. Therefore the current setup is based on some best practices and leaves out distro-specific stuff like system-wide crypto-policies found in RHEL. The current setup relies solely on the openssh directives available directly in the sshd_config.
The lists of algorithms was created based on knowledge found in the following articles:
- https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
- https://infosec.mozilla.org/guidelines/openssh
- https://security.stackexchange.com/questions/257670/ssh-server-configuration-best-practices
- https://www.ssh-audit.com/hardening_guides.html#rhel7
- Comparing SSH Keys - RSA, DSA, ECDSA or EdDSA?
- Worth it to replace OpenSSH's moduli file?
- Disalbe diffie-hellman-group1-sha1
- Opt-out crypto policies for sshd in RHEL8
- Opt-out crypto policies in RHEL8
- https://blog.cr.yp.to/20140323-ecdsa.html
The configuration has then been tested on each supported OS using ssh-audit.
For newer (RHEL9+ and Ubuntu-2204+) the following additionl kex algorithm would be recommended, but is not built into the config as of yet:
# algorithm recommendations (for OpenSSH 8.9)
(rec) +sntrup761x25519-sha512@openssh.com -- kex algorithm to append