Created
October 27, 2012 02:58
-
-
Save jambonrose/3962776 to your computer and use it in GitHub Desktop.
An SSHD config file aimed at public key only access with (attempted) emphasis on security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the sshd server system-wide configuration file. | |
# Written by Andrew Pinkham, 2012 | |
# Built off man pages in FreeNAS 8.2.0 Jail | |
# OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010 | |
# Use at your own risk (particularly if running a different version) | |
# http://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5 | |
# Secure SSHD | |
Protocol 2 # disable protocol 1 (insecure) | |
PermitRootLogin no | |
UsePrivilegeSeparation yes | |
PermitUserEnvironment no | |
#RekeyLimit 128M | |
# Encryption Standards | |
#force usage of non-compromised hashes | |
Ciphers aes256-ctr | |
MACs hmac-sha1,hmac-ripemd160 | |
#KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp384,ecdh-sha2-nistp256 | |
# Disabled Authentication | |
PasswordAuthentication no | |
PermitEmptyPasswords no | |
UsePAM no # pluggable authentication module can be used to bypass root | |
UseLogin no | |
ChallengeResponseAuthentication no | |
KerberosAuthentication no | |
KerberosOrLocalPasswd no | |
GSSAPIAuthentication no | |
RhostsRSAAuthentication no | |
HostbasedAuthentication no | |
IgnoreUserKnownHosts no | |
# Enabled Authentication | |
PubkeyAuthentication yes | |
HostKey /etc/ssh/ssh_host_rsa_key | |
AuthorizedKeysFile .ssh/authorized_keys | |
# Obfuscate Daemon | |
# REPLACE THE FOLLOWING | |
Port 1234 | |
ListenAddress 192.168.0.123:1234 | |
# Login Settings | |
LoginGraceTime 30 | |
StrictModes yes | |
MaxAuthTries 5 #we use pki - no errors should occur | |
MaxSessions 2 #only two computers will ever be running this service | |
MaxStartups 2 | |
ClientAliveInterval 300 #check connection after 300s/5minutes | |
ClientAliveCountMax 1 | |
# Identity Management | |
AllowUsers YOURUSER(S) | |
#General Options | |
AllowTcpForwarding no | |
GatewayPorts no | |
X11Forwarding no | |
TCPKeepAlive yes | |
Compression delayed | |
UseDNS yes | |
PidFile /var/run/sshd.pid | |
PermitTunnel no | |
# override default of no subsystems | |
Subsystem sftp /usr/libexec/sftp-server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment