### AniNIX::SSH \\ Basic configuration for listening daemon ### # Daemon spec # Port 22 ListenAddress 0.0.0.0 PrintMotd yes PrintLastLog yes StrictModes yes Protocol 2 ChrootDirectory none # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys # RSA and ED25519 are stable. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Network Performance # Compression yes ClientAliveInterval 5 ClientAliveCountMax 3 # Forwarding options # AllowTcpForwarding no PermitTunnel no AllowAgentForwarding no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no GatewayPorts no # Override default of no subsystems to allow SFTP # Subsystem sftp /usr/lib/ssh/sftp-server # Authentication # PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes UsePAM yes ChallengeResponseAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no DenyGroups [^ssh-allow] AllowGroups ssh-allow PermitRootLogin no PermitEmptyPasswords no ## Access Controls ### Match Group ssh-forward AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes X11Forwarding yes Match Group sftp-home-jail ForceCommand internal-sftp #/usr/lib/ssh/sftp-server ChrootDirectory /home # Lock the user in their home directory Match User crypto ForceCommand /usr/local/bin/captivecrypto