Kapisi/roles/SSH/files/sshd_config

64 lines
1.5 KiB
Plaintext
Raw Normal View History

### AniNIX/SSH | Basic configuration for listening daemon ###
2020-10-08 16:33:19 -05:00
# Daemon spec
2020-10-08 16:33:19 -05:00
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
2023-07-19 15:41:27 -05:00
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
2020-10-08 16:33:19 -05:00
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance
2020-10-08 16:33:19 -05:00
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options
2020-10-08 16:33:19 -05:00
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP
Subsystem sftp internal-sftp
2020-10-08 16:33:19 -05:00
# Authentication
2020-10-08 16:33:19 -05:00
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
2024-04-01 00:49:02 -05:00
## By default, only ssh-allow or ldapusers are allowed to sftp
AllowGroups ssh sftp ldapuser
Match Group ldapuser,sftp
ForceCommand internal-sftp
ChrootDirectory /home
## Special groups are allowed shell
Match Group wheel,ssh-allow
2020-10-08 16:33:19 -05:00
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
2024-04-01 00:49:02 -05:00
ForceCommand none
ChrootDirectory none
2020-10-08 16:33:19 -05:00
# Allow other packages to ship snippets
Include /etc/ssh/includes/*