### AniNIX/SSH | Basic configuration for listening daemon ### # Daemon spec Port 22 ListenAddress 0.0.0.0 PrintMotd yes PrintLastLog yes StrictModes yes Protocol 2 ChrootDirectory none Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys # RSA and ED25519 are stable. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Network Performance Compression yes ClientAliveInterval 5 ClientAliveCountMax 3 # Forwarding options AllowTcpForwarding no PermitTunnel no AllowAgentForwarding no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no GatewayPorts no # Override default of no subsystems to allow SFTP Subsystem sftp internal-sftp # Authentication PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes UsePAM yes ChallengeResponseAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no DenyGroups [^ssh-allow] AllowGroups ssh-allow PermitRootLogin no PermitEmptyPasswords no ## Access Controls Match Group ssh-forward AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes X11Forwarding yes Match Group sftp-home-jail ForceCommand internal-sftp ChrootDirectory /home # Allow other packages to ship snippets Include /etc/ssh/includes/*