From 3792fbbebbfbc9ea4134b816e1165b7b63374a81 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 19 Jan 2020 17:36:50 +0100 Subject: [PATCH] Add Gentoo support (with secure defaults) --- vars/Gentoo.yml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 vars/Gentoo.yml diff --git a/vars/Gentoo.yml b/vars/Gentoo.yml new file mode 100644 index 0000000..68cdb2a --- /dev/null +++ b/vars/Gentoo.yml @@ -0,0 +1,37 @@ +--- +__sshd_packages: + - net-misc/openssh +__sshd_config_owner: root +__sshd_config_group: root +__sshd_config_mode: "0600" +__sshd_config_file: /etc/ssh/sshd_config +__sshd_sftp_server: /usr/lib64/misc/sftp-server +__sshd_binary: /usr/sbin/sshd +__sshd_defaults: + Subsystem: "sftp {{ sshd_sftp_server }}" + # Replace tcp keepalive with unspoofable keepalive + TCPKeepAlive: no + ClientAliveInterval: 300 + ClientAliveCountMax: 2 + # Secure chipher and algorithm settings + HostKey: + - /etc/ssh/ssh_host_ed25519_key + - /etc/ssh/ssh_host_rsa_key + HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,ssh-ed25519-cert-v01@openssh.com" + KexAlgorithms: "curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" + Ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" + AuthorizedKeysFile: .ssh/authorized_keys + # Security settings + PasswordAuthentication: no + ChallengeResponseAuthentication: no + PermitRootLogin: no + # Login settings + UsePAM: yes + PrintMotd: no + PrintLastLog: yes + # Disable most forwarding types for more security + AllowAgentForwarding: no + AllowTcpForwarding: no + AllowStreamLocalForwarding: no +__sshd_os_supported: yes