Blame docs/security/ssh.md
|
|
0d32f4 |
# CentOS ssh/sshd settings
|
|
|
0d32f4 |
|
|
|
8e5185 |
## General rules
|
|
|
8e5185 |
|
|
|
0d32f4 |
Except for some identified ssh Jump Hosts, or for public services over ssh (like pushing to git.centos.org), the tcp/22 port used by sshd is [firewalled](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml#L11) on almost all the fleet.
|
|
|
0d32f4 |
|
|
|
6d98f4 |
As part of the `init` [process](../operations/deploy/common.md) we sign the sshd host key, meaning that once it's signed by central key, you just have to trust that cert-authority and so not have to confirm each host key/fingerprint when connecting to a server over ssh.
|
|
|
0d32f4 |
|
|
|
6d98f4 |
The Ansible [sshd](https://github.com/CentOS/ansible-role-sshd) is also distributing a `ssh_known_hosts` system file, so that each node (if needed) can also ssh into other centos nodes (like for backup purposes), as long as of course :
|
|
|
0d32f4 |
|
|
|
0d32f4 |
* a valid user pub key is injected
|
|
|
0d32f4 |
* tcp/22 isn't blocked through iptables from ansible
|
|
|
0d32f4 |
|
|
|
0d32f4 |
The central [known_hosts_entries](https://github.com/CentOS/ansible-role-sshd/blob/master/defaults/main.yml#L23) ansible variable at least has one default entry for the `main` CentOS ENV.
|
|
|
0d32f4 |
|
|
|
0d32f4 |
Apart from that, our default sshd_config :
|
|
|
0d32f4 |
|
|
|
0d32f4 |
* Doesn't permit root login
|
|
|
0d32f4 |
* Doesn't permit password authentication
|
|
|
0d32f4 |
* specify the `HostCertificate` (see the node about CA sshd host above)
|
|
|
0d32f4 |
|
|
|
6d98f4 |
From a client perspective, all users ssh public keys are distributed by ansible (for sysadmin) or coming from [IPA](../infra/authentication.md) through ipsilon for some services able to query/import ssh public keys through openid/openidc (like for example pagure/git.centos.org)
|
|
|
8e5185 |
|
|
|
6d98f4 |
We also tune the default ciphers in our host `sshd_config` to match current security standards and following best practices in that regard.
|
|
|
8e5185 |
|
|
|
8e5185 |
## Bastion hosts
|
|
|
8e5185 |
|
|
|
8e5185 |
For bastion hosts, we don't even allow shell accounts, and so people would only get real access to the nodes/infra they'd be allowed to get to.
|
|
|
8e5185 |
|
|
|
8e5185 |
We can use the `sshd_proxyjump_host` feature from our [sshd role](https://github.com/CentOS/ansible-role-sshd/blob/master/defaults/main.yml) and ansible will just restrict "jailed" users on that jumphost.
|