Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Modern secure SSH daemon config
# Modern secure (OpenSSH Server 7+) SSHd config by HacKan
# Refer to the manual for more info:
# Server fingerprint
# Regenerate with: ssh-keygen -o -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 4096
HostKey /etc/ssh/ssh_host_rsa_key
# Regerate with: ssh-keygen -o -f /etc/ssh/ssh_host_ed25519_key -N '' -t ed25519
HostKey /etc/ssh/ssh_host_ed25519_key
# Log for audit, even users' key fingerprint
UsePrivilegeSeparation sandbox
# Ciphers and keying
RekeyLimit 1G 1H
# Limit sessions and its duration
MaxAuthTries 2
MaxSessions 5
ClientAliveInterval 30
ClientAliveCountMax 6
TCPKeepAlive no
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
# You can request for several auth methods to grant access, one next to the other
#AuthenticationMethods publickey
# Enable AllowAgentForwarding if you need to jump through this host
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PrintMotd no
Compression no
# Only if you really need it:
#AcceptEnv LANG LC_*
# Enable sftp only if needed
# For Arch Linux and Debian 10+
# Subsystem sftp /usr/lib/ssh/sftp-server
# For Debian/Ubuntu
# Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Set authorized keys file
# Prefer using an admin-controlled environment
# AuthorizedKeysFile /etc/ssh/authorized_keys/%u
AuthorizedKeysFile .ssh/authorized_keys
# Restrict SSH usage
#AllowUsers <your username>
# Or restrict by group
AllowGroups ssh-user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.