Kapisi/roles/SSH/files/sshd_config

62 lines
1.4 KiB
Plaintext
Raw Permalink Normal View History

### AniNIX/SSH | Basic configuration for listening daemon ###
2020-10-08 16:33:19 -05:00
# Daemon spec
2020-10-08 16:33:19 -05:00
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
2023-07-19 15:41:27 -05:00
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
2020-10-08 16:33:19 -05:00
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance
2020-10-08 16:33:19 -05:00
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options
2020-10-08 16:33:19 -05:00
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP
Subsystem sftp internal-sftp
2020-10-08 16:33:19 -05:00
# Authentication
2020-10-08 16:33:19 -05:00
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no
## Access Controls
2020-10-08 16:33:19 -05:00
Match Group ssh-forward
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
2020-10-08 16:33:19 -05:00
Match Group sftp-home-jail
ForceCommand internal-sftp
ChrootDirectory /home
2020-10-08 16:33:19 -05:00
# Allow other packages to ship snippets
Include /etc/ssh/includes/*