Security Hardening Guidance
SSH configuration
Here’s a comprehensive list of improvements and considerations for hardening the charm:
-
Stick with curve25519-sha256 as the default
kex-algorithmscharm option and never use weaker algorithms such as diffie-hellman-group14-sha1 or any SHA-1 based KEX algorithms. -
Consider removing or avoiding
aes128-gcmfrom the ciphers charm configuration, since AES-256 is more secure and doesn’t come with a significant performance penalty on modern hardware. Run the following command for increasing the security:
juju config userdir-ldap ciphers="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com"
Consider removing or not using non-ETM versions like hmac-sha2-256 in the macs configuration. You can also consider dropping umac-128-etm as it provides only 128-bit integrity, which might be considered insufficient for some environments.Run the following command for increasing the security:
juju config userdir-ldap macs="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com"