From a67cacbd156884fcf548938bd4f9de6b0605a0be Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 18 Jun 2026 22:56:33 +0100 Subject: [PATCH] Simplify SSH config Move this kind of configuration to the client, since it'll apply more widely. There's a VPN protecting all of these anyway. --- ansible/roles/base/files/sshd_config | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 91c52c7..df78473 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -58,21 +58,3 @@ PrintLastLog yes AcceptEnv LANG LC_* Subsystem sftp internal-sftp - -# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com -# hardening guide. -KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512 - -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr - -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com - -RequiredRSASize 3072 - -HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 - -CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 - -HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 - -PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256