Improve SSHD config to use more secure settings (#12109)

liuh-80 · web-flow · commit f8494d10ad33 · 2022-09-22T09:25:29.000+08:00
Improve SSHD config to use more secure settings #### Why I did it According to Sonic OS review result, SSHD config file /etc/ssh/sshd_config using insecure settings. #### How I did it Change build_debian.sh script to set following settings to /etc/ssh/sshd_config: ClientAliveInterval is set to 300 MaxAuthTries is set to default of 3 Banner set to /etc/issue LogLevel is set to VERBOSE #### How to verify it Pass all E2E test case. #### Which release branch to backport (provide reason below if selected)  - [ ] 201811 - [ ] 201911 - [ ] 202006 - [ ] 202012 - [ ] 202106 - [ ] 202111 - [ ] 202205 #### Description for the changelog Improve SSHD config to use more secure settings #### Link to config_db schema for YANG module changes  #### A picture of a cute animal (not mandatory but encouraged)
diff --git a/build_debian.sh b/build_debian.sh
@@ -467,10 +467,16 @@ rm /files/etc/ssh/sshd_config/ClientAliveInterval
 rm /files/etc/ssh/sshd_config/ClientAliveCountMax
 touch /files/etc/ssh/sshd_config/EmptyLineHack
 rename /files/etc/ssh/sshd_config/EmptyLineHack ""
-set /files/etc/ssh/sshd_config/ClientAliveInterval 900
+set /files/etc/ssh/sshd_config/ClientAliveInterval 300
 set /files/etc/ssh/sshd_config/ClientAliveCountMax 1
 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval
-set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 15 minutes"
+set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 5 minutes"
+rm /files/etc/ssh/sshd_config/MaxAuthTries
+set /files/etc/ssh/sshd_config/MaxAuthTries 3
+rm /files/etc/ssh/sshd_config/LogLevel
+set /files/etc/ssh/sshd_config/LogLevel VERBOSE
+rm /files/etc/ssh/sshd_config/Banner
+set /files/etc/ssh/sshd_config/Banner /etc/issue
 save
 quit
 EOF
