OpenSSH is a free version of the SSH connectivity tools that technical users of the Internet rely on. The passwords of Telnet, remote login (rlogin), and File Transfer Protocol (FTP) users are transmitted across the Internet unencrypted. OpenSSH encrypts all traffic, including passwords, to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
This file provides the sample pillars configurations for different use cases.
OpenSSH client
The OpenSSH client configuration with a shared private key:
openssh:
client:
enabled: true
use_dns: False
user:
root:
enabled: true
private_key:
type: rsa
key: ${_param:root_private_key}
user: ${linux:system:user:root}
The OpenSSH client configuration with an individual private key and known host:
openssh:
client:
enabled: true
user:
root:
enabled: true
user: ${linux:system:user:root}
known_hosts:
- name: repo.domain.com
type: rsa
fingerprint: dd:fa:e8:68:b1:ea:ea:a0:63:f1:5a:55:48:e1:7e:37
fingerprint_hash_type: sha256|md5
The OpenSSH client configuration with keep alive settings:
openssh:
client:
alive:
interval: 600
count: 3
OpenSSH server
The OpenSSH server simple configuration:
openssh:
server:
enabled: true
permit_root_login: true
public_key_auth: true
password_auth: true
host_auth: true
banner: Welcome to server!
bind:
address: 0.0.0.0
port: 22
The OpenSSH server configuration with auth keys for users:
openssh:
server:
enabled: true
bind:
address: 0.0.0.0
port: 22
...
user:
newt:
enabled: true
user: ${linux:system:user:newt}
public_keys:
- ${public_keys:newt}
root:
enabled: true
purge: true
user: ${linux:system:user:root}
public_keys:
- ${public_keys:newt}
Note
Setting the purge
parameter to true
ensures that the exact
authorized_keys
contents will be filled explicitly from the model and
undefined keys will be removed.
The OpenSSH server configuration that binds OpenSSH on multiple addresses and ports:
openssh:
server:
enabled: true
binds:
- address: 127.0.0.1
port: 22
- address: 192.168.1.1
port: 2222
The OpenSSH server with FreeIPA configuration:
openssh:
server:
enabled: true
bind:
address: 0.0.0.0
port: 22
public_key_auth: true
authorized_keys_command:
command: /usr/bin/sss_ssh_authorizedkeys
user: nobody
The OpenSSH server configuration with keep alive settings:
openssh:
server:
alive:
keep: yes
interval: 600
count: 3
#
# will give you an timeout of 30 minutes (600 sec x 3)
The OpenSSH server configuration with the DSA legacy keys enabled:
openssh:
server:
dss_enabled: true
The OpenSSH server configuration with the duo 2FA https://duo.com/docs/duounix with Match User 2FA can be bypassed for some accounts
openssh:
server:
use_dns: false
password_auth: false
challenge_response_auth: true
ciphers:
aes256-ctr:
enabled: true
aes192-ctr:
enabled: true
aes128-ctr:
enabled: true
authentication_methods:
publickey:
enabled: true
keyboard-interactive:
enabled: true
match_user:
jenkins:
authentication_methods:
publickey:
enabled: true
OpenSSH server configuration supports AllowUsers, DenyUsers, AllowGroup, DenyGroups via allow_users, deny_users, allow_groups, deny_groups keys respectively.
For example, here is how to manage AllowUsers configuration item:
openssh:
server:
allow_users:
<user_name>:
enabled: true
<pattern_list_name>:
enabled: true
pattern: <pattern>
Elements of allow_users are either user names or pattern list names:
<enabled> by default is ‘true’.
See PATTERNS in ssh_config(5) for more information on what <pattern> is.
CIS Compliance
There is a number of configuration options that make the OpenSSH service
compliant with CIS Benchmark. These options can be found under
metadata/service/server/cis
, and are not enabled by default. For each CIS
item a comprehensive description is provided with the pillar data.
See also https://www.cisecurity.org/cis-benchmarks/ for the details abouth CIS Benchmark.
Read more