aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbnewbold <bnewbold@robocracy.org>2016-04-15 14:54:47 -0400
committerbnewbold <bnewbold@robocracy.org>2016-04-15 14:54:47 -0400
commitc4b5e49f6e4b4a31c0c278e464c690823c0ad4fd (patch)
tree1c9396239a6a44e61d36d10dc238068014e4fcc3
parent46e2c84d862ac4567c0b60b779126b4a1b462a97 (diff)
downloadinfra-c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd.tar.gz
infra-c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd.zip
common: SSH authentication clarification
-rw-r--r--roles/common/defaults/main.yml3
-rw-r--r--roles/common/templates/etc_ssh_sshd_config.j25
-rw-r--r--vars/robocracy.yml1
3 files changed, 4 insertions, 5 deletions
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index 642f58e..f77cc3f 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -18,7 +18,8 @@ ssh_kex_algorithms: "diffie-hellman-group-exchange-sha256"
ssh_ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
ssh_macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
sshd_allow_passwd: "no"
-sshd_print_motd: "yes"
+sshd_allow_chall_resp: "no"
+sshd_print_motd: "no"
sshd_allow_root: "without-password"
sshd_forward_x11: "yes"
diff --git a/roles/common/templates/etc_ssh_sshd_config.j2 b/roles/common/templates/etc_ssh_sshd_config.j2
index d9978e0..c0797a3 100644
--- a/roles/common/templates/etc_ssh_sshd_config.j2
+++ b/roles/common/templates/etc_ssh_sshd_config.j2
@@ -21,7 +21,6 @@ MACs {{ ssh_macs }}
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
-#ServerKeyBits 768
ServerKeyBits 1024
# Logging
@@ -51,8 +50,7 @@ PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
-# ChallengeResponseAuthentication no
-ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication {{ sshd_allow_chall_resp }}
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication {{ sshd_allow_passwd }}
@@ -92,4 +90,3 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
-
diff --git a/vars/robocracy.yml b/vars/robocracy.yml
index a8017d8..c9623f6 100644
--- a/vars/robocracy.yml
+++ b/vars/robocracy.yml
@@ -9,6 +9,7 @@ friendly_networks:
- "numm.org"
sshd_print_motd: "no"
+sshd_allow_chall_resp: "yes"
nullmailer_smtp_host: mail.the-nsa.org
nullmailer_smtp_user: nullmail@the-nsa.org