From fc01cfbdd8f99bddc2e829a4cc9b69e8578f0464 Mon Sep 17 00:00:00 2001
From: Carmen Rata <carmen.rata@windriver.com>
Date: Wed, 26 Aug 2020 16:10:37 -0400
Subject: [PATCH] Fix openscap security violations in sshd_config

Updated ssh settings in /etc/ssh/sshd_config file to fix
some high and medium openscap security violations.

Story: 2008037
Task: 40694

Change-Id: Id57fbb13fd2b758f2e8608b56af9447035bac903
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Co-Authored-By: Thomas Gao <thomas.gao@windriver.com>
---
 openssh-config/files/sshd_config | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/openssh-config/files/sshd_config b/openssh-config/files/sshd_config
index 0dfc0e2..cbfc61d 100644
--- a/openssh-config/files/sshd_config
+++ b/openssh-config/files/sshd_config
@@ -55,13 +55,13 @@ AuthorizedKeysFile     .ssh/authorized_keys
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
-#IgnoreUserKnownHosts no
+IgnoreUserKnownHosts yes
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords no
 PasswordAuthentication yes
 
 # Change to no to disable s/key passwords
@@ -103,11 +103,11 @@ X11Forwarding no
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
-#PrintLastLog yes
+PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation yes
-#PermitUserEnvironment no
+UsePrivilegeSeparation sandbox
+PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
 ClientAliveCountMax 4