9c12812735
Some major changes: * the charm has been rebased (from a Python perspective) to be rooted in the charm directory. This is a single root. * Imports have been changed so that the don't add lots of imports to the namespace of the module doing the import. * The code that used to run at module import time has been made lazy such that it only has to run if the relevant functions are called. This includes restart_on_change parameters, the harden function and the parameters to the guard_map. Appropriate changes will be submitted to charm-helpers. * Several tests had to be re-written as (incorrect) mocking meant that text fixtures didn't actually match what the code was doing. Thus, the tests were meaningless. * This has had a net positive impact on the unit tests wrt to importing modules and mocking. Change-Id: Id07d9d1caaa9b29453a63c2e49ba831071e9457f
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
# NOTE: this file contains the default configuration for the 'ssh' hardening
|
|
# code. If you want to override any settings you must add them to a file
|
|
# called hardening.yaml in the root directory of your charm using the
|
|
# name 'ssh' as the root key followed by any of the following with new
|
|
# values.
|
|
|
|
common:
|
|
service_name: 'ssh'
|
|
network_ipv6_enable: False # (type:boolean)
|
|
ports: [22]
|
|
remote_hosts: []
|
|
|
|
client:
|
|
package: 'openssh-client'
|
|
cbc_required: False # (type:boolean)
|
|
weak_hmac: False # (type:boolean)
|
|
weak_kex: False # (type:boolean)
|
|
roaming: False
|
|
password_authentication: 'no'
|
|
|
|
server:
|
|
host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key',
|
|
'/etc/ssh/ssh_host_ecdsa_key']
|
|
cbc_required: False # (type:boolean)
|
|
weak_hmac: False # (type:boolean)
|
|
weak_kex: False # (type:boolean)
|
|
allow_root_with_key: False # (type:boolean)
|
|
allow_tcp_forwarding: 'no'
|
|
allow_agent_forwarding: 'no'
|
|
allow_x11_forwarding: 'no'
|
|
use_privilege_separation: 'sandbox'
|
|
listen_to: ['0.0.0.0']
|
|
use_pam: 'no'
|
|
package: 'openssh-server'
|
|
password_authentication: 'no'
|
|
alive_interval: '600'
|
|
alive_count: '3'
|
|
sftp_enable: False # (type:boolean)
|
|
sftp_group: 'sftponly'
|
|
sftp_chroot: '/home/%u'
|
|
deny_users: []
|
|
allow_users: []
|
|
deny_groups: []
|
|
allow_groups: []
|
|
print_motd: 'no'
|
|
print_last_log: 'no'
|
|
use_dns: 'no'
|
|
max_auth_tries: 2
|
|
max_sessions: 10
|