From 057272a95243ed8576daccf8b9840b3ac1abf669 Mon Sep 17 00:00:00 2001
From: edunham <edunham@mozilla.com>
Date: Tue, 15 Mar 2016 11:31:01 -0700
Subject: [PATCH] Deploy Mozilla-recommended SSHD config

See https://wiki.mozilla.org/Security/Guidelines/OpenSSH
---
 common/init.sls    |  7 +++++++
 common/sshd_config | 28 ++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 common/sshd_config

diff --git a/common/init.sls b/common/init.sls
index e1ce6f2d..559bdab5 100644
--- a/common/init.sls
+++ b/common/init.sls
@@ -50,3 +50,10 @@ sshkey-{{ ssh_user }}:
     - user: root
     - source: salt://{{ tpldir }}/ssh/{{ ssh_user }}.pub
 {% endfor %}
+
+/etc/ssh/sshd_config:
+  file.managed:
+    - source: salt://common/sshd_config
+    - user: root
+    - group: root
+    - mode: 644
diff --git a/common/sshd_config b/common/sshd_config
new file mode 100644
index 00000000..2af289f8
--- /dev/null
+++ b/common/sshd_config
@@ -0,0 +1,28 @@
+# Supported HostKey algorithms by order of preference.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+
+KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# Password based logins are disabled - only public key based logins are allowed.
+AuthenticationMethods publickey
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as systemd and auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
+PermitRootLogin No
+
+# Use kernel sandbox mechanisms where possible in unprivilegied processes
+# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
+UsePrivilegeSeparation sandbox