🐛 SSH Hardening

[jriedel-ionos]

What is the purpose of this pull request/Why do we need it? Add tweaks for Diffie-Hellman key exchange, because of a CVE. See:

• https://nvd.nist.gov/vuln/detail/CVE-2002-20001
• https://dheatattack.gitlab.io/dheater/

And 4096 bit host keys are used to harden SSH security.

I used https://www.sshaudit.com/hardening_guides.html#ubuntu_22_04_lts as a hardening guide.

Description of changes:

• Improve Diffie-Hellman key exchange
• Use 4096 bit host keys.

Checklist:

• [x] Includes emojis

[gfariasalves-ionos]

I think you should add the reasoning for removing the key exchange in the PR.

[piepmatz]

Do the nodes now pass the test at https://sshaudit.com/ with the Hardened Ubuntu Server 22.04 LTS (version 5) policy?

[jriedel-ionos]

Do the nodes now pass the test at https://sshaudit.com/ with the Hardened Ubuntu Server 22.04 LTS (version 5) policy?

Yes

[piepmatz]

• The MachineDeployment and ClusterResourceSet in test/e2e/data/infrastructure-ionoscloud/cluster-template.yaml lack the labels.
• The field order of ClusterResourceSet.spec.resources[0] is swapped in test/e2e/data/infrastructure-ionoscloud/cluster-template.yaml and templates/cluster-template-calico.yaml

[sonarcloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud