Updating Ubiqtorate

2020-10-08 16:33:19 -05:00
parent eaeae93a0f
commit e12c8ff0c6
53 changed files with 1645 additions and 2 deletions
--- a/roles/SSH/files/ssh_config
+++ b/roles/SSH/files/ssh_config
@@ -0,0 +1,50 @@
+#	$OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+# Host *
+#   ForwardAgent no
+ForwardX11 yes 
+ForwardX11Trusted yes
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+#   Protocol 2,1
+#   Cipher 3des
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+UseRoaming no 
+# fix for CVE-2016-0777
--- a/roles/SSH/files/sshd_config
+++ b/roles/SSH/files/sshd_config
@@ -0,0 +1,59 @@
+### AniNIX::SSH \\ Basic configuration for listening daemon ###
+
+# Daemon spec #
+Port 22
+ListenAddress 0.0.0.0
+PrintMotd yes
+PrintLastLog yes
+StrictModes yes
+Protocol 2
+ChrootDirectory none
+# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
+# RSA and ED25519 are stable.
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Network Performance #
+Compression yes
+ClientAliveInterval 5
+ClientAliveCountMax 3
+
+# Forwarding options # 
+AllowTcpForwarding no
+PermitTunnel no
+AllowAgentForwarding no
+X11Forwarding no
+X11DisplayOffset 10
+X11UseLocalhost no
+GatewayPorts no
+
+# Override default of no subsystems to allow SFTP #
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Authentication #
+PubkeyAuthentication yes
+AuthorizedKeysFile	.ssh/authorized_keys
+PasswordAuthentication yes
+UsePAM yes
+ChallengeResponseAuthentication no
+HostbasedAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+DenyGroups [^ssh-allow]
+AllowGroups ssh-allow
+PermitRootLogin no
+PermitEmptyPasswords no
+
+## Access Controls ###
+Match Group ssh-forward
+    AllowTcpForwarding yes
+    PermitTunnel yes
+    AllowAgentForwarding yes
+    X11Forwarding yes
+      
+Match Group sftp-home-jail
+    ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
+    ChrootDirectory /home # Lock the user in their home directory
+
+Match User crypto
+    ForceCommand /usr/local/bin/captivecrypto