Improve sshd configuration

[willthames]

Image I'm using:

Custom image based on pr #39 but that should be pretty much latest now.

Issue or Feature Request:

I would like either a stricter sshd config or the ability to configure a stricter sshd config.

e.g.

Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
PermitRootLogin no

I can see two ways to achieve that:

• hardcode it for everyone in sshd_config
• add a custom-config (or better name) to user data e.g.

  {
    "ssh":{
       "custom-config": {
          "PermitRootLogin": "no",
          "Ciphers": "[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]"
       }
    }
  }
  

I am willing to implement this but just want to check what your preferences are first.

[jpculp]

@willthames, thank you for opening this enhancement request! After some discussion with the team, we agree that this would be a great change. We would prefer hardcoding the PermitRootLogin no directly to the sshd_config above the # Configured by user data line, and setting the ciphers via user-data like so:

{
    "ssh": {
        "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
        "authorized-keys-command-user": "ec2-instance-connect",
        "ciphers": [
            "[email protected]",
            "aes128-ctr",
            "aes192-ctr",
            "aes256-ctr",
            "[email protected]",
            "[email protected]"
        ]
    }
}

Is this something you would still be willing to implement or would you rather us work on it?

[willthames]

@jpculp - I'm happy with that approach - I'll hopefully submit a PR shortly

[willthames]

Closed by #42