Office-Manager/gist:f751e8cd287edcb8b195c1cb96b61812

## gistfile1.txt
# Ansible managed

# This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.

# Basic configuration
# ===================

# Either disable or only allowssh root login via certificates.
PermitRootLogin no

# Define which port sshd should listen to. Default to `22`.
Port 22

# Address family should always be limited to the active network configuration.
AddressFamily inet

# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
ListenAddress 0.0.0.0

# List HostKeys here.
HostKey /etc/ssh/ssh_host_rsa_key          # Req 20
HostKey /etc/ssh/ssh_host_ecdsa_key          # Req 20
HostKey /etc/ssh/ssh_host_ed25519_key          # Req 20

# Security configuration
# ======================

# Set the protocol version to 2 for security reasons. Disables legacy support.
Protocol 2

# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
StrictModes yes

# Logging, obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel VERBOSE

# Cryptography
# ------------

# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
# CBC: is true if you want to connect with OpenSSL-base libraries
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
# Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
#

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

# Alternative setting, if OpenSSH version is below v5.9
#MACs hmac-ripemd160

# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
# Weak kex is sometimes required if older package versions are used
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

# Authentication
# --------------

# Secure Login directives.
UseLogin no
UsePrivilegeSeparation sandbox
PermitUserEnvironment no
LoginGraceTime 30s
MaxAuthTries 2
MaxSessions 10
MaxStartups 10:30:100

# Enable public key authentication
PubkeyAuthentication yes

# Never use host-based authentication. It can be exploited.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no

# Enable PAM to enforce system wide rules
UsePAM yes

# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Only enable Kerberos authentication if it is configured.
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no
GSSAPICleanupCredentials yes

# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.

AllowUsers efthruser


# Network
# -------

# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
TCPKeepAlive no

# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
ClientAliveInterval 600
ClientAliveCountMax 3

# Disable tunneling
PermitTunnel no

# Disable forwarding tcp connections.
# no real advantage without denied shell access
AllowTcpForwarding no

# Disable agent formwarding, since local agent could be accessed through forwarded connection.
# no real advantage without denied shell access
AllowAgentForwarding no

# Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no

# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
X11Forwarding no
X11UseLocalhost yes


# Misc. configuration
# ===================

PrintMotd no

PrintLastLog no

Banner none
	# Ansible managed

	# This is the ssh client system-wide configuration file.
	# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.

	# Basic configuration
	# ===================

	# Either disable or only allowssh root login via certificates.
	PermitRootLogin no

	# Define which port sshd should listen to. Default to `22`.
	Port 22

	# Address family should always be limited to the active network configuration.
	AddressFamily inet

	# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
	ListenAddress 0.0.0.0

	# List HostKeys here.
	HostKey /etc/ssh/ssh_host_rsa_key # Req 20
	HostKey /etc/ssh/ssh_host_ecdsa_key # Req 20
	HostKey /etc/ssh/ssh_host_ed25519_key # Req 20

	# Security configuration
	# ======================

	# Set the protocol version to 2 for security reasons. Disables legacy support.
	Protocol 2

	# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
	StrictModes yes

	# Logging, obsoletes QuietMode and FascistLogging
	SyslogFacility AUTH
	LogLevel VERBOSE

	# Cryptography
	# ------------

	# Ciphers -- If your clients don't support CTR (eg older versions), cbc will be added
	# CBC: is true if you want to connect with OpenSSL-base libraries
	# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
	# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
	#
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

	# Hash algorithms -- Make sure not to use SHA1 for hashing, unless it is really necessary.
	# Weak HMAC is sometimes required if older package versions are used
	# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
	#

	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

	# Alternative setting, if OpenSSH version is below v5.9
	#MACs hmac-ripemd160

	# Key Exchange Algorithms -- Make sure not to use SHA1 for kex, unless it is really necessary
	# Weak kex is sometimes required if older package versions are used
	# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
	# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

	# Authentication
	# --------------

	# Secure Login directives.
	UseLogin no
	UsePrivilegeSeparation sandbox
	PermitUserEnvironment no
	LoginGraceTime 30s
	MaxAuthTries 2
	MaxSessions 10
	MaxStartups 10:30:100

	# Enable public key authentication
	PubkeyAuthentication yes

	# Never use host-based authentication. It can be exploited.
	IgnoreRhosts yes
	IgnoreUserKnownHosts yes
	HostbasedAuthentication no

	# Enable PAM to enforce system wide rules
	UsePAM yes

	# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
	PasswordAuthentication no
	PermitEmptyPasswords no
	ChallengeResponseAuthentication no

	# Only enable Kerberos authentication if it is configured.
	KerberosAuthentication no
	KerberosOrLocalPasswd no
	KerberosTicketCleanup yes
	#KerberosGetAFSToken no

	# Only enable GSSAPI authentication if it is configured.
	GSSAPIAuthentication no
	GSSAPICleanupCredentials yes

	# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.

	AllowUsers efthruser



	# Network
	# -------

	# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
	TCPKeepAlive no

	# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
	ClientAliveInterval 600
	ClientAliveCountMax 3

	# Disable tunneling
	PermitTunnel no

	# Disable forwarding tcp connections.
	# no real advantage without denied shell access
	AllowTcpForwarding no

	# Disable agent formwarding, since local agent could be accessed through forwarded connection.
	# no real advantage without denied shell access
	AllowAgentForwarding no

	# Do not allow remote port forwardings to bind to non-loopback addresses.
	GatewayPorts no

	# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
	X11Forwarding no
	X11UseLocalhost yes


	# Misc. configuration
	# ===================

	PrintMotd no

	PrintLastLog no

	Banner none