sshd: Remove some unused and potentially dangerous features

2021-03-17 05:20:41 +00:00 · 2021-03-17 05:20:41 +00:00 · a745cdb3ee
commit a745cdb3ee
parent 282fbcb932
1 changed files with 14 additions and 0 deletions
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@ -1,6 +1,20 @@
 ---

+- name: disable AllowAgentForwarding
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?AllowAgentForwarding'
+    line: 'AllowAgentForwarding no'
+    validate: "sshd -t -f %s"
+  notify: restart sshd

+- name: disable ChallengeResponseAuthentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?ChallengeResponseAuthentication'
+    line: 'ChallengeResponseAuthentication no'
+    validate: "sshd -t -f %s"
+  notify: restart sshd

 # based on mozilla recommended settings
 #   https://infosec.mozilla.org/guidelines/openssh.html