jambonrose/sshd_config

## sshd_config
# This is the sshd server system-wide configuration file.
# Written by Andrew Pinkham, 2012
# Built off man pages in FreeNAS 8.2.0 Jail
# OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010
# Use at your own risk (particularly if running a different version)
# http://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5

# Secure SSHD
Protocol 2 # disable protocol 1 (insecure)
PermitRootLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
#RekeyLimit 128M

# Encryption Standards
#force usage of non-compromised hashes
Ciphers aes256-ctr
MACs hmac-sha1,hmac-ripemd160
#KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp384,ecdh-sha2-nistp256

# Disabled Authentication
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no # pluggable authentication module can be used to bypass root
UseLogin no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosOrLocalPasswd no
GSSAPIAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts no

# Enabled Authentication
PubkeyAuthentication yes
HostKey /etc/ssh/ssh_host_rsa_key
AuthorizedKeysFile .ssh/authorized_keys

# Obfuscate Daemon
# REPLACE THE FOLLOWING
Port 1234
ListenAddress 192.168.0.123:1234

# Login Settings
LoginGraceTime 30
StrictModes yes
MaxAuthTries 5 #we use pki - no errors should occur
MaxSessions 2 #only two computers will ever be running this service
MaxStartups 2
ClientAliveInterval 300 #check connection after 300s/5minutes
ClientAliveCountMax 1

# Identity Management
AllowUsers YOURUSER(S)

#General Options
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
TCPKeepAlive yes
Compression delayed
UseDNS yes
PidFile /var/run/sshd.pid
PermitTunnel no

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
	# This is the sshd server system-wide configuration file.
	# Written by Andrew Pinkham, 2012
	# Built off man pages in FreeNAS 8.2.0 Jail
	# OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8q 2 Dec 2010
	# Use at your own risk (particularly if running a different version)
	# http://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5

	# Secure SSHD
	Protocol 2 # disable protocol 1 (insecure)
	PermitRootLogin no
	UsePrivilegeSeparation yes
	PermitUserEnvironment no
	#RekeyLimit 128M

	# Encryption Standards
	#force usage of non-compromised hashes
	Ciphers aes256-ctr
	MACs hmac-sha1,hmac-ripemd160
	#KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp384,ecdh-sha2-nistp256

	# Disabled Authentication
	PasswordAuthentication no
	PermitEmptyPasswords no
	UsePAM no # pluggable authentication module can be used to bypass root
	UseLogin no
	ChallengeResponseAuthentication no
	KerberosAuthentication no
	KerberosOrLocalPasswd no
	GSSAPIAuthentication no
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	IgnoreUserKnownHosts no

	# Enabled Authentication
	PubkeyAuthentication yes
	HostKey /etc/ssh/ssh_host_rsa_key
	AuthorizedKeysFile .ssh/authorized_keys

	# Obfuscate Daemon
	# REPLACE THE FOLLOWING
	Port 1234
	ListenAddress 192.168.0.123:1234

	# Login Settings
	LoginGraceTime 30
	StrictModes yes
	MaxAuthTries 5 #we use pki - no errors should occur
	MaxSessions 2 #only two computers will ever be running this service
	MaxStartups 2
	ClientAliveInterval 300 #check connection after 300s/5minutes
	ClientAliveCountMax 1

	# Identity Management
	AllowUsers YOURUSER(S)

	#General Options
	AllowTcpForwarding no
	GatewayPorts no
	X11Forwarding no
	TCPKeepAlive yes
	Compression delayed
	UseDNS yes
	PidFile /var/run/sshd.pid
	PermitTunnel no

	# override default of no subsystems
	Subsystem sftp /usr/libexec/sftp-server