### AniNIX/SSH | Basic configuration for listening daemon ###

# Daemon spec
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com

# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Network Performance
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3

# Forwarding options
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no

# Override default of no subsystems to allow SFTP
Subsystem	sftp	internal-sftp

# Authentication
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no

## Access Controls
Match Group ssh-forward
    AllowTcpForwarding yes
    PermitTunnel yes
    AllowAgentForwarding yes
    X11Forwarding yes

Match Group sftp-home-jail
    ForceCommand internal-sftp
    ChrootDirectory /home

# Allow other packages to ship snippets
Include /etc/ssh/includes/*