majic-ansible-roles Files · roles/backup_server/files/backup-sshd

Files @ b3080953dcfc

Branch filter:

Location: majic-ansible-roles/roles/backup_server/files/backup-sshd_config - annotation

b3080953dcfc 2.0 KiB text/plain Show Source Show as Raw Download as Raw

branko

MAR-193: Fix deprecation warnings coming from newer versions of pip-tools:

- In more recent versions of pip-tools, a new option has been
added (--strip-extras) that will become a new default in next major
release. Not using this option causes some warnings on Debian 11
Bullseye when pip-tools is brought up to date.
- Refactor the invocation of pip-compile to make it more modular.
- No test expansion for this since it would make it a bit harder to
target both Debian 10 Buster and Debian 11 Bullseye.

500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
16ec0de22bf3
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454
500658358454

# Listen on separate port for backup purposes.
Port 2222

# Use the SSH protocol version 2 (which is safer).
Protocol 2

# Define dedicated host keys for backup SSH server.
HostKey /etc/ssh-backup/ssh_host_rsa_key
HostKey /etc/ssh-backup/ssh_host_ecdsa_key
HostKey /etc/ssh-backup/ssh_host_ed25519_key

# Use privilege separation for increased security.
UsePrivilegeSeparation yes

# Configure logging.
SyslogFacility AUTH
LogLevel INFO

# Users logging-in have 10 seconds to login upon established connection.
LoginGraceTime 10

# Don't allow root accounts logins.
PermitRootLogin no

# Enforce strict checking of home directory mode. However, this is not used for
# the chroots (chroots must check mode).
StrictModes yes

# Allow public key authentication.
PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files for eventual
# RhostsRSAAuthentication or HostbasedAuthentication.
IgnoreRhosts yes

# Disable host-based authentication.
HostbasedAuthentication no

# Do not allow logins with empty passwords.
PermitEmptyPasswords no

# Don't allow challenge-response authentication.
ChallengeResponseAuthentication no

# Disable password-based authentication.
PasswordAuthentication no

# Disable X11 forwarding.
X11Forwarding no

# Do not print motd to avoid eventual issues for clients.
PrintMotd no

# Do not print the date and time of the last user login.
PrintLastLog no

# Use TPC keepalives for detecting dead connections.
TCPKeepAlive yes

# Use the internal SFTP so we can also easily utilise chroot.
Subsystem sftp internal-sftp

# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be
# used just for session stuff.
UsePAM yes

# Specify a dedicated PID file for the backup SSH.
PidFile /run/sshd-backup.pid

# Users logging-in are forced to use the SFTP server.
ForceCommand internal-sftp

# Chroot logged-in users to their home directories.
ChrootDirectory %h

# Do not allow any TCP forwarding.
AllowTCPForwarding no

# Only allow the members of this group to log-in into this instance of OpenSSH
# server.
AllowGroups backup