### AniNIX/SSH | Basic configuration for listening daemon ### # Daemon spec Port 22 ListenAddress 0.0.0.0 PrintMotd yes PrintLastLog yes StrictModes yes Protocol 2 ChrootDirectory none Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys # RSA and ED25519 are stable. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Network Performance Compression yes ClientAliveInterval 5 ClientAliveCountMax 3 # Forwarding options AllowTcpForwarding no PermitTunnel no AllowAgentForwarding no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no GatewayPorts no # Override default of no subsystems to allow SFTP Subsystem sftp internal-sftp # Authentication PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes UsePAM yes ChallengeResponseAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no PermitRootLogin no PermitEmptyPasswords no ## By default, only ssh-allow or ldapusers are allowed to sftp AllowGroups ssh sftp ldapuser Match Group ldapuser,sftp ForceCommand internal-sftp ChrootDirectory /home ## Special groups are allowed shell Match Group wheel,ssh-allow AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes X11Forwarding yes ForceCommand none ChrootDirectory none # Allow other packages to ship snippets Include /etc/ssh/includes/*