From d1fdfa683d146f3cb4d1bbd4559a4798f99938d0 Mon Sep 17 00:00:00 2001
From: David Panofsky <dpanofsky@singleplatform.com>
Date: Wed, 13 Sep 2017 14:33:38 -0400
Subject: [PATCH] update Ubuntu 16 defaults for modern security recomendations

---
 vars/Ubuntu_16.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml
index 9651105..9f9a159 100644
--- a/vars/Ubuntu_16.yml
+++ b/vars/Ubuntu_16.yml
@@ -8,15 +8,13 @@ sshd_defaults:
   Port: 22
   Protocol: 2
   HostKey:
-    - /etc/ssh/ssh_host_rsa_key
-    - /etc/ssh/ssh_host_dsa_key
-    - /etc/ssh/ssh_host_ecdsa_key
     - /etc/ssh/ssh_host_ed25519_key
-  UsePrivilegeSeparation: yes
+    - /etc/ssh/ssh_host_rsa_key
+  UsePrivilegeSeparation: sandbox
   KeyRegenerationInterval: 3600
   ServerKeyBits: 1024
   SyslogFacility: AUTH
-  LogLevel: INFO
+  LogLevel: VERBOSE
   LoginGraceTime: 120
   PermitRootLogin: prohibit-password
   StrictModes: yes
@@ -28,13 +26,17 @@ sshd_defaults:
   HostbasedAuthentication: no
   PermitEmptyPasswords: no
   ChallengeResponseAuthentication: no
-  X11Forwarding: yes
+  X11Forwarding: no
   X11DisplayOffset: 10
   PrintMotd: no
   PrintLastLog: yes
   TCPKeepAlive: yes
   AcceptEnv: LANG LC_*
-  Subsystem: "sftp {{ sshd_sftp_server }}"
+  Subsystem: "sftp {{ sshd_sftp_server }} -f AUTHPRIV -l INFO"
   UsePAM: yes
   UseDNS: no
+  KexAlgorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+  Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+  MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+  AuthenticationMethods: publickey
 sshd_os_supported: yes