62cc614573
Add charmhelpers.contrib.hardening and calls to install, config-changed, upgrade-charm and update-status hooks. Also add new config option to allow one or more hardening modules to be applied at runtime. Change-Id: Ic417d678d3b0f7bfda5b393628a67297d7e79107
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
# NOTE: this file contains the default configuration for the 'ssh' hardening
|
|
# code. If you want to override any settings you must add them to a file
|
|
# called hardening.yaml in the root directory of your charm using the
|
|
# name 'ssh' as the root key followed by any of the following with new
|
|
# values.
|
|
|
|
common:
|
|
service_name: 'ssh'
|
|
network_ipv6_enable: False # (type:boolean)
|
|
ports: [22]
|
|
remote_hosts: []
|
|
|
|
client:
|
|
package: 'openssh-client'
|
|
cbc_required: False # (type:boolean)
|
|
weak_hmac: False # (type:boolean)
|
|
weak_kex: False # (type:boolean)
|
|
roaming: False
|
|
password_authentication: 'no'
|
|
|
|
server:
|
|
host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key',
|
|
'/etc/ssh/ssh_host_ecdsa_key']
|
|
cbc_required: False # (type:boolean)
|
|
weak_hmac: False # (type:boolean)
|
|
weak_kex: False # (type:boolean)
|
|
allow_root_with_key: False # (type:boolean)
|
|
allow_tcp_forwarding: 'no'
|
|
allow_agent_forwarding: 'no'
|
|
allow_x11_forwarding: 'no'
|
|
use_privilege_separation: 'sandbox'
|
|
listen_to: ['0.0.0.0']
|
|
use_pam: 'no'
|
|
package: 'openssh-server'
|
|
password_authentication: 'no'
|
|
alive_interval: '600'
|
|
alive_count: '3'
|
|
sftp_enable: False # (type:boolean)
|
|
sftp_group: 'sftponly'
|
|
sftp_chroot: '/home/%u'
|
|
deny_users: []
|
|
allow_users: []
|
|
deny_groups: []
|
|
allow_groups: []
|
|
print_motd: 'no'
|
|
print_last_log: 'no'
|
|
use_dns: 'no'
|
|
max_auth_tries: 2
|
|
max_sessions: 10
|