From 8e51852866e18a0b13622138493f6dfd74ff7c2a Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Sep 23 2021 14:41:29 +0000 Subject: Adding note about bastion/jump host for sshd Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/ssh.md b/docs/security/ssh.md index 3497f1d..7776b94 100644 --- a/docs/security/ssh.md +++ b/docs/security/ssh.md @@ -1,5 +1,7 @@ # CentOS ssh/sshd settings +## General rules + Except for some identified ssh Jump Hosts, or for public services over ssh (like pushing to git.centos.org), the tcp/22 port used by sshd is [firewalled](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml#L11) on almost all the fleet. As part of the `init` [process](/operations/deploy/common/) we sign the sshd host key, meaning that once it's signed by central key, you just have to trust that cert-authority and so not have to confirm each host key/fingerprint when connecting to a server over ssh. @@ -18,3 +20,11 @@ Apart from that, our default sshd_config : * specify the `HostCertificate` (see the node about CA sshd host above) From a client perspective, all users ssh public keys are distributed by ansible (for sysadmin) or coming from [IPA](/infra/authentication/) through ipsilon for some services able to query/import ssh public keys through openid/openidc (like for example pagure/git.centos.org) + +We also tune the default ciphers in our host sshd_config to match current security standards and following best practices in that regard. + +## Bastion hosts + +For bastion hosts, we don't even allow shell accounts, and so people would only get real access to the nodes/infra they'd be allowed to get to. + +We can use the `sshd_proxyjump_host` feature from our [sshd role](https://github.com/CentOS/ansible-role-sshd/blob/master/defaults/main.yml) and ansible will just restrict "jailed" users on that jumphost.