Add Gentoo support (with secure defaults)

willshersystems · Jan 19, 2020 · 3792fbb · 3792fbb
1 parent e70dbc3
commit 3792fbb
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/vars/Gentoo.yml b/vars/Gentoo.yml
@@ -0,0 +1,37 @@
+---
+__sshd_packages:
+  - net-misc/openssh
+__sshd_config_owner: root
+__sshd_config_group: root
+__sshd_config_mode: "0600"
+__sshd_config_file: /etc/ssh/sshd_config
+__sshd_sftp_server: /usr/lib64/misc/sftp-server
+__sshd_binary: /usr/sbin/sshd
+__sshd_defaults:
+  Subsystem: "sftp {{ sshd_sftp_server }}"
+  # Replace tcp keepalive with unspoofable keepalive
+  TCPKeepAlive: no
+  ClientAliveInterval: 300
+  ClientAliveCountMax: 2
+  # Secure chipher and algorithm settings
+  HostKey:
+    - /etc/ssh/ssh_host_ed25519_key
+    - /etc/ssh/ssh_host_rsa_key
+  HostKeyAlgorithms: "ssh-ed25519,ssh-rsa,[email protected]"
+  KexAlgorithms: "[email protected],diffie-hellman-group-exchange-sha256"
+  Ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
+  MACs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
+  AuthorizedKeysFile: .ssh/authorized_keys
+  # Security settings
+  PasswordAuthentication: no
+  ChallengeResponseAuthentication: no
+  PermitRootLogin: no
+  # Login settings
+  UsePAM: yes
+  PrintMotd: no
+  PrintLastLog: yes
+  # Disable most forwarding types for more security
+  AllowAgentForwarding: no
+  AllowTcpForwarding: no
+  AllowStreamLocalForwarding: no
+__sshd_os_supported: yes