Merge pull request #21 from KellerFuchs/patch-1

Harden sshd_config
hashbang · Sep 21, 2015 · 5638b67 · 5638b67
2 parents 80cd1d3 + 5d92e0b
commit 5638b67
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -65,6 +65,7 @@ group.org
 ssl/certs
 ssl/private
 ssh/ssh_host_*_key
+ssh/ssh_host_*_key.pub
 *-
 *.gz
 alternatives
@@ -75,9 +76,6 @@ hosts
 resolv.conf
 resolvconf/resolv.conf.d/original
 udev/rules.d/70-persistent-net.rules
-ssh/ssh_host_dsa_key.pub
-ssh/ssh_host_ecdsa_key.pub
-ssh/ssh_host_rsa_key.pub
 hostname
 machine-id
 provisor.ini

diff --git a/ssh/sshd_config b/ssh/sshd_config
@@ -11,9 +11,9 @@ Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
@@ -89,4 +89,3 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
-PasswordAuthentication yes