commit 7ba624a6001ed32f8d202a5881ac5f2561ff9b7f Author: Yann Verry Date: Fri Apr 30 22:58:42 2021 +0200 add sshd diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config new file mode 100644 index 0000000..7cd6417 --- /dev/null +++ b/etc/ssh/sshd_config @@ -0,0 +1,116 @@ +# OpenSSH rugged config + +# listen on ssh port, security is not "choice another port" +Port 22 + +# ipv6 only +AddressFamily inet6 +ListenAddress :: + +# ed25519 only +HostKey /etc/ssh/ssh_host_ed25519_key + +# SSH CA +TrustedUserCAKeys /etc/ssh/ca-vault.pem + +# Cipher and algorithms +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication +LoginGraceTime 10s +PermitRootLogin prohibit-password +StrictModes yes +MaxAuthTries 2 +MaxSessions 10 + +# Allow publickey +PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +HostbasedAuthentication no +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#PidFile /var/run/sshd.pid +#PermitTunnel no +#ChrootDirectory none + +MaxStartups 10:30:100 +X11Forwarding no +UseDNS no +PrintMotd no +VersionAddendum none + +# no default banner path +Banner none +DebianBanner no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server