Created
November 28, 2020 21:51
-
-
Save gombossb/66d8de5adc5f134b16e0ed3ebc120fc4 to your computer and use it in GitHub Desktop.
Secure ed25519 configuration for OpenSSH Win32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Secure ed25519 configuration for OpenSSH Win32 | |
# OpenSSH server can be installed on Windows 10 1809+ or Server 2019+ systems by opening Settings > Apps > Apps and Features > Manage Optional Features and adding "OpenSSH Server" | |
# Config file is located at C:\ProgramData\ssh\sshd_config | |
# You should copy your public key to this host before disabling PasswordAuthentication | |
# You can view all configuration options for sshd_config at https://man.openbsd.org/sshd_config | |
# You can view Win32-specific configuration options for this file at https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config | |
# Don't use this configuration blindly | |
# You should carefully look up all options from the documentation if this is the only gate to your system | |
# This is the sshd server system-wide configuration file. See | |
# sshd_config(5) for more information. | |
# The strategy used for options in the default sshd_config shipped with | |
# OpenSSH is to specify options with their default value where | |
# possible, but leave them commented. Uncommented options override the | |
# default value. | |
# Use a random upper range TCP port (30-50k) to avoid being scanned | |
Port 43210 | |
#AddressFamily any | |
#ListenAddress 0.0.0.0 | |
#ListenAddress :: | |
# Only use ed25519 host key | |
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key | |
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key | |
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key | |
HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key | |
# Ciphers and keying | |
#RekeyLimit default none | |
# Logging | |
# With default configuration logs are logged to event log | |
# Use AUTH0 to log into file instead (%programdata%\ssh\logs) | |
#SyslogFacility AUTH | |
#LogLevel INFO | |
# Authentication: | |
# Use a lower grace than than default (2m) | |
LoginGraceTime 30 | |
PermitRootLogin no | |
#StrictModes yes | |
# Limit the number of authentication tries and concurrent sessions | |
MaxAuthTries 3 | |
MaxSessions 5 | |
PubkeyAuthentication yes | |
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | |
# but this is overridden so installations will only check .ssh/authorized_keys | |
AuthorizedKeysFile .ssh/authorized_keys | |
#AuthorizedPrincipalsFile none | |
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts | |
HostbasedAuthentication no | |
# Change to yes if you don't trust ~/.ssh/known_hosts for | |
# HostbasedAuthentication | |
#IgnoreUserKnownHosts no | |
# Don't read the user's ~/.rhosts and ~/.shosts files | |
#IgnoreRhosts yes | |
# Copy your public key(s) to this host before disabling password authentication | |
# To disable tunneled clear text passwords, change to no here! | |
PasswordAuthentication no | |
PermitEmptyPasswords no | |
#AllowAgentForwarding yes | |
#AllowTcpForwarding yes | |
#GatewayPorts no | |
#PermitTTY yes | |
#PrintMotd yes | |
#PrintLastLog yes | |
#TCPKeepAlive yes | |
#UseLogin no | |
#PermitUserEnvironment no | |
#ClientAliveInterval 0 | |
#ClientAliveCountMax 3 | |
#UseDNS no | |
#PidFile /var/run/sshd.pid | |
#MaxStartups 10:30:100 | |
#PermitTunnel no | |
#ChrootDirectory none | |
#VersionAddendum none | |
# no default banner path | |
#Banner none | |
# override default of no subsystems | |
Subsystem sftp sftp-server.exe | |
# Example of overriding settings on a per-user basis | |
#Match User anoncvs | |
# AllowTcpForwarding no | |
# PermitTTY no | |
# ForceCommand cvs server | |
#Match Group administrators | |
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys | |
# Not supported on Win32 :c | |
#Compression yes | |
# Only allow the following users to log in: | |
AllowUsers gizike27 | |
# Disable authentication methods other than pubkey | |
ChallengeResponseAuthentication no | |
#AuthenticationMethods any | |
AuthenticationMethods publickey | |
# Only offer and accept ed25519 based keys | |
HostKeyAlgorithms ssh-ed25519 | |
PubKeyAcceptedKeyTypes ssh-ed25519 | |
# Kick user out after 5m of inactivity | |
ClientAliveInterval 300 | |
ClientAliveCountMax 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment