Kapisi/roles/SSH/files/sshd_config

### AniNIX/SSH | Basic configuration for listening daemon ###

# Daemon spec
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com

# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Network Performance
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3

# Forwarding options
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no

# Override default of no subsystems to allow SFTP
Subsystem	sftp	internal-sftp

# Authentication
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no

## Access Controls
Match Group ssh-forward
    AllowTcpForwarding yes
    PermitTunnel yes
    AllowAgentForwarding yes
    X11Forwarding yes

Match Group sftp-home-jail
    ForceCommand internal-sftp
    ChrootDirectory /home

# Allow other packages to ship snippets
Include /etc/ssh/includes/*
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`### AniNIX/SSH \| Basic configuration for listening daemon ###`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Daemon spec`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`Port 22`
			`ListenAddress 0.0.0.0`
			`PrintMotd yes`
			`PrintLastLog yes`
			`StrictModes yes`
			`Protocol 2`
			`ChrootDirectory none`
Updating some SSH config 2023-07-19 15:41:27 -05:00			`Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com`
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys`
			`# RSA and ED25519 are stable.`
			`HostKey /etc/ssh/ssh_host_rsa_key`
			`HostKey /etc/ssh/ssh_host_ed25519_key`

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Network Performance`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`Compression yes`
			`ClientAliveInterval 5`
			`ClientAliveCountMax 3`

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Forwarding options`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`AllowTcpForwarding no`
			`PermitTunnel no`
			`AllowAgentForwarding no`
			`X11Forwarding no`
			`X11DisplayOffset 10`
			`X11UseLocalhost no`
			`GatewayPorts no`

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Override default of no subsystems to allow SFTP`
			`Subsystem sftp internal-sftp`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Authentication`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`PubkeyAuthentication yes`
			`AuthorizedKeysFile .ssh/authorized_keys`
			`PasswordAuthentication yes`
			`UsePAM yes`
			`ChallengeResponseAuthentication no`
			`HostbasedAuthentication no`
			`KerberosAuthentication no`
			`GSSAPIAuthentication no`
			`DenyGroups [^ssh-allow]`
			`AllowGroups ssh-allow`
			`PermitRootLogin no`
			`PermitEmptyPasswords no`

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`## Access Controls`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`Match Group ssh-forward`
			`AllowTcpForwarding yes`
			`PermitTunnel yes`
			`AllowAgentForwarding yes`
			`X11Forwarding yes`
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`Match Group sftp-home-jail`
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`ForceCommand internal-sftp`
			`ChrootDirectory /home`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`# Allow other packages to ship snippets`
			`Include /etc/ssh/includes/*`