Last active
March 10, 2023 09:55
-
-
Save evbit/53fc6e4022fa76f0c451c057849ced9f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the sshd server system-wide configuration file. See | |
| # sshd_config(5) for more information. | |
| # -------------------------------- | |
| # -=-=-=={ Server Setup }==-=-=- | |
| # -------------------------------- | |
| # Use the latest protocol version | |
| Protocol 2 | |
| # Uncomment if you have modular configuration files | |
| # Include /etc/ssh/sshd_config.d/*.conf | |
| # Change the default port (22) to 479 | |
| Port 479 | |
| # Use only IPv4, to accept both change it to `any` | |
| AddressFamily inet | |
| # Liste on 1 IP & address family, syntax: | |
| # - [hostname|address]:port [rdomain domain] | |
| ListenAddress 0.0.0.0 | |
| # ListenAddress 192.0.2.10 | |
| # Specify path to the file containing a private key | |
| # (can use multiple asymmetric encryption protocols) | |
| HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication | |
| # Host key signature algos the client should accept | |
| # (i.e served by the server) | |
| # run `ssh -Q HostKeyAlgorithms` to see all options | |
| HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 | |
| KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed | |
| MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg. | |
| #Only allow incoming ECDSA and ed25519 sessions: | |
| HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 | |
| #PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519 | |
| #CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 | |
| # Ciphers and keying | |
| # Specifies max amount of data being sent/rcved | |
| # before new session key is renegotiated | |
| # - first arg in bytes : 100K, 500M, 5G | |
| # - 2nd is optional & in secs | |
| # NOTE: rotating session keys after a few GB or based on | |
| # time is a reasonably effective mitigation strategy | |
| #RekeyLimit default none # no time based rekeyring is done | |
| # Logging - QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1/2/3 | |
| LogLevel VERBOSE # Fingerprint details of failed login attempts | |
| #LogLevel Info # default | |
| #LogLevel Debug # violates the privacy of users & not recommended | |
| # Facility code used when logging - DAEMON, USER, AUTH, LOCAL0-7 | |
| SyslogFacility AUTH # authentication and authorization related commands | |
| # -------------------------------- | |
| # -=-=-=={ Authentication }==-=-=- | |
| # -------------------------------- | |
| LoginGraceTime 30 # Auth must happen within 30 secs | |
| MaxAuthTries 2 # Max allowed auth attempts | |
| MaxStartups 2 # Max concurrent SSH sessions | |
| PermitRootLogin no # Disable root login | |
| PermitEmptyPasswords no # Don't allow empty passwords | |
| AuthenticationMethods publickey # Only allow publick key auth | |
| PubkeyAuthentication yes # Enable public key auth | |
| PasswordAuthentication no # Disable password auth | |
| HostbasedAuthentication no # Disable host-based auth | |
| ChallengeResponseAuthentication no # Unused auth scheme | |
| KbdInteractiveAuthentication no # new alias for above | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| #KerberosGetAFSToken no | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| #GSSAPIStrictAcceptorCheck yes | |
| #GSSAPIKeyExchange no | |
| # ----------------------- | |
| # -=-=-=={ Other }==-=-=- | |
| # ----------------------- | |
| X11Forwarding no # Disable X11 forwarding | |
| TCPKeepAlive yes # Avoid infinitely hanging sesions which consume resources | |
| StrictModes yes # Check file modes & ownership of user's ~ be4 login | |
| UseDNS no # Only addresses can be used in authorized_keys | |
| AcceptEnv LANG LC_* # Allow client to pass locale env vars | |
| IgnoreRhosts yes # Don't read user's ~/.rhosts & ~/.shosts | |
| MaxSessions 2 # | |
| UsePAM no | |
| ClientAliveInterval 100 # Send msg to client if 100 secs passed with no action | |
| ClientAliveCountMax 2 # Disconnect client after 2 lost client alive msgs | |
| # Enable sFTP subsystem over SSH | |
| Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO | |
| # Example of overriding settings on a per-user basis | |
| #Match User anoncvs | |
| # X11Forwarding no | |
| # AllowTcpForwarding no | |
| # PermitTTY no | |
| # ForceCommand cvs server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment