ssh init

00e9d378 · skorpy · 093f904a · 00e9d378 · 00e9d378 · 00e9d378
Commit 00e9d378 authored 8 years ago by skorpy
--- a/ssh/goal/ssh_config
+++ b/ssh/goal/ssh_config
+# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always.
+Host github.com
+	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+    
+Host *
+	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+	PasswordAuthentication no
+	ChallengeResponseAuthentication no
+
--- a/ssh/goal/sshd_config
+++ b/ssh/goal/sshd_config
+Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+
+AllowGroups ssh-user
+
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
+
+
--- a/ssh/init.sls
+++ b/ssh/init.sls
+openssh-server:
+  pkg.latest:
+    - pkgs:
+      - openssh-server
+  service.running:
+    - name: sshd
+    - enable: True
+    - reload: True
+#    - watch:
+#      - augeas: sshd_*
+
+include:
+  - openssh.hardening