Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

Added support for AuthorizedKeysFile config setting #132

Merged
merged 1 commit into from
Oct 17, 2017
Merged

Added support for AuthorizedKeysFile config setting #132

merged 1 commit into from
Oct 17, 2017

Conversation

hyrsky
Copy link

@hyrsky hyrsky commented Oct 8, 2017

I created this small patch to add variable for AuthorizedKeysFile settings. I needed this for my setup, maybe it is useful to someone else as well.

From man sshd_config:

AuthorizedKeysFile
        Specifies the file that contains the public keys that can be used
        for user authentication.  The format is described in the AUTHO‐
        RIZED_KEYS FILE FORMAT section of sshd(8).  AuthorizedKeysFile
        may contain tokens of the form %T which are substituted during
        connection setup.  The following tokens are defined: %% is
        replaced by a literal '%', %h is replaced by the home directory
        of the user being authenticated, and %u is replaced by the user‐
        name of that user.  After expansion, AuthorizedKeysFile is taken
        to be an absolute path or one relative to the user's home direc‐
        tory.  Multiple files may be listed, separated by whitespace.
        Alternately this option may be set to “none” to skip checking for
        user keys in files.  The default is “.ssh/authorized_keys
        .ssh/authorized_keys2”.

sshd_config if ssh_authorized_keys_file is omitted

...
# Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no
GSSAPICleanupCredentials yes

# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.





# Network
# -------

# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
TCPKeepAlive no
...

sshd_config if ssh_authorized_keys_file is set

...
# Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no
GSSAPICleanupCredentials yes

# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.




AuthorizedKeysFile /etc/ssh/authorized_keys/%u

# Network
# -------

# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
TCPKeepAlive no
...

@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 9, 2017

Looks good, thanks!
One thing: can you add the new variable (with a value other than '')to the default.yml-playbook here: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/default.yml#L23

@rndmh3ro rndmh3ro self-requested a review October 9, 2017 09:22
@hyrsky
Copy link
Author

hyrsky commented Oct 17, 2017

I added the new variable to the default.yml.

@rndmh3ro rndmh3ro merged commit 936e997 into dev-sec:master Oct 17, 2017
@rndmh3ro
Copy link
Member

Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rndmh3ro rndmh3ro Awaiting requested review from rndmh3ro

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hyrsky @rndmh3ro