AniNIX
/
ConfigPackages
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Cleaning up SSHD Config with notes

master
DarkFeather 5 years ago
parent
82f822879e
commit
bc0dd873c4
1 changed files with 52 additions and 18 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 70
      SSH/sshd_config

70
SSH/sshd_config
Unescape View File

@ -1,28 +1,62 @@
### AniNIX::SSH \\ Basic configuration for listening daemon ###
# Daemon spec #
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
RSAAuthentication yes
ChallengeResponseAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PasswordAuthentication yes
UsePAM yes
AuthorizedKeysFile .ssh/authorized_keys
Protocol 2
ChrootDirectory none
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance #
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options #
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
PrintMotd yes
PrintLastLog yes
PermitTunnel no
GatewayPorts no
# Override default of no subsystems to allow SFTP #
Subsystem sftp /usr/lib/ssh/sftp-server
# Authentication #
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no
## Access Controls ###
Match Group wheel
X11Forwarding yes
AllowTcpForwarding yes
PermitTunnel yes
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
Match Group sftp-home-jail
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
ChrootDirectory /home # Lock the user in their home directory
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
ChrootDirectory /home # Lock the user in their home directory
Match Group passwdchange
ForceCommand /usr/bin/passwd
ForceCommand /bin/bash -c '/usr/bin/passwd; read'
Match User crypto
ForceCommand /usr/local/bin/captivecrypto
ForceCommand /usr/local/bin/captivecrypto