You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# https://infosec.mozilla.org/guidelines/openssh
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Prohibit regular SSH clients from allocating virtual terminals, forward X11, etc:
X11Forwarding no
PermitTunnel no
# remote forwarded ports only available internally
GatewayPorts no
# Possible values for this option are yes or all to allow all TCP forwarding, no to prevent all
# TCP forwarding, local to allow local forwardings, and remote to allow remote forwardings.
AllowTcpForwarding yes
# same options as AllowTcpForwarding
AllowStreamLocalForwarding yes
AllowAgentForwarding yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# for SSH CA, host certificate
#HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
# for SSH CA, user CA public key
#TrustedUserCAKeys /etc/ssh/user_CA.pub
# moduli file for EC
ModuliFile /etc/ssh/moduli
# Disable root ssh access
PermitRootLogin no
# Disable password login
PasswordAuthentication no
PermitEmptyPasswords no
LoginGraceTime 30
MaxSessions 10
MaxAuthTries 3
# start:rate:full
MaxStartups 10:30:30
# set to yes for TOTP
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login.
# Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Restrict supported key exchange, cipher, and MAC algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512
# not recommented, enable for compatibility
# ,ssh-rsa
# override default of no subsystems
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO
# enable ssh-rsa on exception basis
#Match Host 10.10.10.10
# PubkeyAcceptedAlgorithms +ssh-rsa