cseelye/sshd_config

## sshd_config
#
# To use this on your own server, change the port and username to what you wish to use and deploy the public key for that user onto your SSH server.
# Make sure to leave at least one SSH session open while you test this!
#

# Run on a custom port
Port 54321

# Restrict user access to the minimum
PermitRootLogin no
AllowUsers username

# Disable less secure protocols
Protocol 2
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

# Kick out idle clients
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 10
MaxAuthTries 1
MaxStartups 3
TCPKeepAlive yes

# Restrict user settings
PermitUserEnvironment no
PermitUserRC no

# Only allow clients with pubkey
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes

# Turn off unneeded features
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no
AllowAgentForwarding no
#UseRoaming no
UsePrivilegeSeparation sandbox
StrictModes yes
	#
	# To use this on your own server, change the port and username to what you wish to use and deploy the public key for that user onto your SSH server.
	# Make sure to leave at least one SSH session open while you test this!
	#

	# Run on a custom port
	Port 54321

	# Restrict user access to the minimum
	PermitRootLogin no
	AllowUsers username

	# Disable less secure protocols
	Protocol 2
	IgnoreRhosts yes
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

	# Kick out idle clients
	ClientAliveInterval 300
	ClientAliveCountMax 0
	LoginGraceTime 10
	MaxAuthTries 1
	MaxStartups 3
	TCPKeepAlive yes

	# Restrict user settings
	PermitUserEnvironment no
	PermitUserRC no

	# Only allow clients with pubkey
	PermitEmptyPasswords no
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	GSSAPIAuthentication no
	PubkeyAuthentication yes

	# Turn off unneeded features
	AllowTcpForwarding no
	AllowStreamLocalForwarding no
	X11Forwarding no
	AllowAgentForwarding no
	#UseRoaming no
	UsePrivilegeSeparation sandbox
	StrictModes yes