Tristor/sshd_config

## sshd_config
# TCP port to bind to
# Change to a high/odd port if this server is exposed to the internet directly
Port 22

# Bind to all interfaces (change to specific interface if needed)
ListenAddress 0.0.0.0

# Force SSHv2 Protocol
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox

# Deny all other users besides the following
AllowUsers tristor

# Client timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0

# Compression (only after authentication)
Compression delayed

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication must happen within 30 seconds
LoginGraceTime 30

# Disable root SSH access
PermitRootLogin no
PermitEmptyPasswords no

# Check user folder permissions before allowing access
StrictModes yes

# Public key authentication + Password authentication
# Two-Factor Authentication in OpenSSH v6.2+
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

# Change this depending on where your authorized_keys file is
# This is set as a workaround when using encrypted home directories
# Link: https://joscor.com/2013/05/putty-server-refused-our-key/
#AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys

#These are the most secure of the available ciphers and MACs
# SHA-256 included for compat with PuTTY-WinCrypt clients
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Disable unused authentication schemes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
# This may need to be enabled for things like Google Authenticator/YubiOTP
UsePAM no

# X11 support
X11Forwarding no

# Don’t show Message of the Day
PrintMotd no

# TCPKeepAlive (non-tunneled, disabled)
TCPKeepAlive no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
	# TCP port to bind to
	# Change to a high/odd port if this server is exposed to the internet directly
	Port 22

	# Bind to all interfaces (change to specific interface if needed)
	ListenAddress 0.0.0.0

	# Force SSHv2 Protocol
	Protocol 2

	# HostKeys for protocol version 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key
	HostKey /etc/ssh/ssh_host_ecdsa_key

	# Use kernel sandbox mechanisms where possible in unprivileged processes
	# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
	UsePrivilegeSeparation sandbox

	# Deny all other users besides the following
	AllowUsers tristor

	# Client timeout (5 minutes)
	ClientAliveInterval 300
	ClientAliveCountMax 0

	# Compression (only after authentication)
	Compression delayed

	# Logging
	SyslogFacility AUTH
	LogLevel INFO

	# Authentication must happen within 30 seconds
	LoginGraceTime 30

	# Disable root SSH access
	PermitRootLogin no
	PermitEmptyPasswords no

	# Check user folder permissions before allowing access
	StrictModes yes

	# Public key authentication + Password authentication
	# Two-Factor Authentication in OpenSSH v6.2+
	RSAAuthentication yes
	PubkeyAuthentication yes
	PasswordAuthentication yes
	AuthenticationMethods publickey,password

	# Change this depending on where your authorized_keys file is
	# This is set as a workaround when using encrypted home directories
	# Link: https://joscor.com/2013/05/putty-server-refused-our-key/
	#AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys

	#These are the most secure of the available ciphers and MACs
	# SHA-256 included for compat with PuTTY-WinCrypt clients
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

	# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
	# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
	KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

	# Don’t read the user’s ~/.rhosts and ~/.shosts files
	IgnoreRhosts yes

	# Disable unused authentication schemes
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	ChallengeResponseAuthentication no
	KerberosAuthentication no
	GSSAPIAuthentication no
	# This may need to be enabled for things like Google Authenticator/YubiOTP
	UsePAM no

	# X11 support
	X11Forwarding no

	# Don’t show Message of the Day
	PrintMotd no

	# TCPKeepAlive (non-tunneled, disabled)
	TCPKeepAlive no

	# Allow client to pass locale environment variables
	AcceptEnv LANG LC_*