Skip to content

Instantly share code, notes, and snippets.

@gnzsnz

gnzsnz/SSHD_config.md

Last active October 1, 2022 16:57
Show Gist options
  • Save gnzsnz/f6847be23d0da9098bf82f6fd58de74f to your computer and use it in GitHub Desktop.
Save gnzsnz/f6847be23d0da9098bf82f6fd58de74f to your computer and use it in GitHub Desktop.
Download ZIP
SSHD config
Raw
SSHD_config.md

SSHD template configuration

Basic SSHD configuration template

# https://infosec.mozilla.org/guidelines/openssh

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Prohibit regular SSH clients from allocating virtual terminals, forward X11, etc:
X11Forwarding no
PermitTunnel no
# remote forwarded ports only available internally
GatewayPorts no
# Possible values for this option are yes or all to allow all TCP forwarding, no to prevent all
# TCP forwarding, local to allow local forwardings, and remote to allow remote forwardings.
AllowTcpForwarding yes
# same options as AllowTcpForwarding
AllowStreamLocalForwarding yes
AllowAgentForwarding yes

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# for SSH CA, host certificate
#HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
# for SSH CA, user CA public key
#TrustedUserCAKeys /etc/ssh/user_CA.pub

# moduli file for EC
ModuliFile /etc/ssh/moduli

# Disable root ssh access
PermitRootLogin no

# Disable password login
PasswordAuthentication no
PermitEmptyPasswords no
LoginGraceTime 30
MaxSessions 10
MaxAuthTries 3
# start:rate:full
MaxStartups 10:30:30
# set to yes for TOTP
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

# LogLevel VERBOSE logs user's key fingerprint on login.
# Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE

# Restrict supported key exchange, cipher, and MAC algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512
# not recommented, enable for compatibility
# ,ssh-rsa

# override default of no subsystems
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO

# enable ssh-rsa on exception basis
#Match Host 10.10.10.10
#  PubkeyAcceptedAlgorithms +ssh-rsa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment