Created
August 8, 2023 15:28
-
-
Save lifehome/537040e2ce488d0c790478cfbb1b6291 to your computer and use it in GitHub Desktop.
20230808 sshd_config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### ### | |
| # ----------------------------- # | |
| # Service-wide configs # | |
| # ----------------------------- # | |
| ### ### | |
| # Listening port for the SSH server | |
| Port 311 | |
| # Listening addresses | |
| #AddressFamily any | |
| #ListenAddress 0.0.0.0 | |
| #ListenAddress :: | |
| # Host keys | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| # Allowed Key Exchange algorithms | |
| # - obtained on 21st July 2023 from Mozilla OpenSSH Guide | |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | |
| # Allowed Ciphers | |
| # - obtained on 21st July 2023 from Mozilla OpenSSH Guide | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| # Allowed message authentication code algorithms | |
| # - obtained on 21st July 2023 from Mozilla OpenSSH Guide | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
| # LogLevel | |
| # - obtained on 21st July 2023 from Mozilla OpenSSH Guide | |
| # - VERBOSE logs user's key fingerprint on login. | |
| # Needed to have a clear audit track of which key was using to log in. | |
| LogLevel VERBOSE | |
| ### ### | |
| # ----------------------------- # | |
| # Authentication configs # | |
| # ----------------------------- # | |
| ### ### | |
| # Graceful timeout for each session auth | |
| LoginGraceTime 30s | |
| # Session key renegotiation | |
| RekeyLimit 128K 60s | |
| ## | |
| # Password based logins are disabled | |
| # - only public key based logins are allowed. | |
| ## | |
| AuthenticationMethods publickey | |
| # Temporary rule to allow root to login using SSH keys | |
| PermitRootLogin prohibit-password | |
| # Configure location for the 'authorized_keys' file | |
| AuthorizedKeysFile .ssh/authorized_keys | |
| # Allow SSH service to authenticate user with PAM modules | |
| UsePAM yes | |
| # Print MOTD | |
| PrintMotd no | |
| ### ### | |
| # ----------------------------- # | |
| # Service subsystems # | |
| # ----------------------------- # | |
| ### ### | |
| # SFTP service | |
| Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment