sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(cis): remove deprecated sshd options and update hardening values

Browse Source
This commit is contained in:
Sandwich
2026-02-20 20:17:52 +01:00
parent a2993212ca
commit 524356cf8d
6 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/cis/tasks/sshd.yml
View File

@@ -21,7 +21,7 @@
- { option: GSSAPIAuthentication, value: "no" }
- { option: AllowAgentForwarding, value: "no" }
- { option: AllowTcpForwarding, value: "no" }
- { option: ChallengeResponseAuthentication, value: "no" }
- { option: KbdInteractiveAuthentication, value: "no" }
- { option: GatewayPorts, value: "no" }
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
@@ -36,7 +36,6 @@
marker: "# {mark} CIS SSH HARDENING"
block: |-
## CIS Specific
Protocol 2
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256