config-files/etc/ssh/sshd_config

# OpenSSH rugged config

# listen on ssh port, security is not "choice another port"
Port 22

# ipv6 only
AddressFamily inet6
ListenAddress ::

# ed25519 only
HostKey /etc/ssh/ssh_host_ed25519_key

# SSH CA
TrustedUserCAKeys /etc/ssh/ca-vault.pem

# Cipher and algorithms
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication
LoginGraceTime 10s
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 2
MaxSessions 10

# Allow publickey
PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#PidFile /var/run/sshd.pid
#PermitTunnel no
#ChrootDirectory none

MaxStartups 10:30:100
X11Forwarding no
UseDNS no
PrintMotd no
VersionAddendum none

# no default banner path
Banner none
DebianBanner no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server
add sshd 2021-04-30 20:58:42 +00:00			`# OpenSSH rugged config`

			`# listen on ssh port, security is not "choice another port"`
			`Port 22`

			`# ipv6 only`
			`AddressFamily inet6`
			`ListenAddress ::`

			`# ed25519 only`
			`HostKey /etc/ssh/ssh_host_ed25519_key`

			`# SSH CA`
			`TrustedUserCAKeys /etc/ssh/ca-vault.pem`

			`# Cipher and algorithms`
			`KexAlgorithms curve25519-sha256@libssh.org`
			`Ciphers chacha20-poly1305@openssh.com`
			`MACs hmac-sha2-512-etm@openssh.com`

			`# Logging`
			`SyslogFacility AUTH`
			`LogLevel INFO`

			`# Authentication`
			`LoginGraceTime 10s`
			`PermitRootLogin prohibit-password`
			`StrictModes yes`
			`MaxAuthTries 2`
			`MaxSessions 10`

			`# Allow publickey`
			`PubkeyAuthentication yes`

			`# Expect .ssh/authorized_keys2 to be disregarded by default in future.`
			`#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2`

			`#AuthorizedPrincipalsFile none`

			`#AuthorizedKeysCommand none`
			`#AuthorizedKeysCommandUser nobody`

			`# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts`
			`HostbasedAuthentication no`
			`# Don't read the user's ~/.rhosts and ~/.shosts files`
			`IgnoreRhosts yes`

			`# To disable tunneled clear text passwords, change to no here!`
			`#PasswordAuthentication yes`
			`#PermitEmptyPasswords no`

			`# Change to yes to enable challenge-response passwords (beware issues with`
			`# some PAM modules and threads)`
			`ChallengeResponseAuthentication no`

			`# Kerberos options`
			`KerberosAuthentication no`
			`#KerberosOrLocalPasswd yes`
			`#KerberosTicketCleanup yes`
			`#KerberosGetAFSToken no`

			`# GSSAPI options`
			`GSSAPIAuthentication no`
			`#GSSAPICleanupCredentials yes`
			`#GSSAPIStrictAcceptorCheck yes`
			`#GSSAPIKeyExchange no`

			`# Set this to 'yes' to enable PAM authentication, account processing,`
			`# and session processing. If this is enabled, PAM authentication will`
			`# be allowed through the ChallengeResponseAuthentication and`
			`# PasswordAuthentication. Depending on your PAM configuration,`
			`# PAM authentication via ChallengeResponseAuthentication may bypass`
			`# the setting of "PermitRootLogin without-password".`
			`# If you just want the PAM account and session checks to run without`
			`# PAM authentication, then enable this but set PasswordAuthentication`
			`# and ChallengeResponseAuthentication to 'no'.`
			`UsePAM yes`

			`#AllowAgentForwarding yes`
			`#AllowTcpForwarding yes`
			`#GatewayPorts no`
			`#X11DisplayOffset 10`
			`#X11UseLocalhost yes`
			`#PermitTTY yes`
			`#PrintLastLog yes`
			`#TCPKeepAlive yes`
			`#PermitUserEnvironment no`
			`#Compression delayed`
			`#ClientAliveInterval 0`
			`#ClientAliveCountMax 3`
			`#PidFile /var/run/sshd.pid`
			`#PermitTunnel no`
			`#ChrootDirectory none`

			`MaxStartups 10:30:100`
			`X11Forwarding no`
			`UseDNS no`
			`PrintMotd no`
			`VersionAddendum none`

			`# no default banner path`
			`Banner none`
			`DebianBanner no`

			`# Allow client to pass locale environment variables`
			`AcceptEnv LANG LC_*`

			`# override default of no subsystems`
			`Subsystem sftp /usr/lib/openssh/sftp-server`