diff options
author | bnewbold <bnewbold@robocracy.org> | 2016-04-15 14:54:47 -0400 |
---|---|---|
committer | bnewbold <bnewbold@robocracy.org> | 2016-04-15 14:54:47 -0400 |
commit | c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd (patch) | |
tree | 1c9396239a6a44e61d36d10dc238068014e4fcc3 | |
parent | 46e2c84d862ac4567c0b60b779126b4a1b462a97 (diff) | |
download | infra-c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd.tar.gz infra-c4b5e49f6e4b4a31c0c278e464c690823c0ad4fd.zip |
common: SSH authentication clarification
-rw-r--r-- | roles/common/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/common/templates/etc_ssh_sshd_config.j2 | 5 | ||||
-rw-r--r-- | vars/robocracy.yml | 1 |
3 files changed, 4 insertions, 5 deletions
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 642f58e..f77cc3f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -18,7 +18,8 @@ ssh_kex_algorithms: "diffie-hellman-group-exchange-sha256" ssh_ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" ssh_macs: "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" sshd_allow_passwd: "no" -sshd_print_motd: "yes" +sshd_allow_chall_resp: "no" +sshd_print_motd: "no" sshd_allow_root: "without-password" sshd_forward_x11: "yes" diff --git a/roles/common/templates/etc_ssh_sshd_config.j2 b/roles/common/templates/etc_ssh_sshd_config.j2 index d9978e0..c0797a3 100644 --- a/roles/common/templates/etc_ssh_sshd_config.j2 +++ b/roles/common/templates/etc_ssh_sshd_config.j2 @@ -21,7 +21,6 @@ MACs {{ ssh_macs }} # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 -#ServerKeyBits 768 ServerKeyBits 1024 # Logging @@ -51,8 +50,7 @@ PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) -# ChallengeResponseAuthentication no -ChallengeResponseAuthentication yes +ChallengeResponseAuthentication {{ sshd_allow_chall_resp }} # Change to no to disable tunnelled clear text passwords PasswordAuthentication {{ sshd_allow_passwd }} @@ -92,4 +90,3 @@ Subsystem sftp /usr/lib/openssh/sftp-server # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes - diff --git a/vars/robocracy.yml b/vars/robocracy.yml index a8017d8..c9623f6 100644 --- a/vars/robocracy.yml +++ b/vars/robocracy.yml @@ -9,6 +9,7 @@ friendly_networks: - "numm.org" sshd_print_motd: "no" +sshd_allow_chall_resp: "yes" nullmailer_smtp_host: mail.the-nsa.org nullmailer_smtp_user: nullmail@the-nsa.org |