64 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			64 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ### AniNIX/SSH | Basic configuration for listening daemon ###
 | |
| 
 | |
| # Daemon spec
 | |
| Port 22
 | |
| ListenAddress 0.0.0.0
 | |
| PrintMotd yes
 | |
| PrintLastLog yes
 | |
| StrictModes yes
 | |
| Protocol 2
 | |
| ChrootDirectory none
 | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
 | |
| 
 | |
| # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
 | |
| # RSA and ED25519 are stable.
 | |
| HostKey /etc/ssh/ssh_host_rsa_key
 | |
| HostKey /etc/ssh/ssh_host_ed25519_key
 | |
| 
 | |
| # Network Performance
 | |
| Compression yes
 | |
| ClientAliveInterval 5
 | |
| ClientAliveCountMax 3
 | |
| 
 | |
| # Forwarding options
 | |
| AllowTcpForwarding no
 | |
| PermitTunnel no
 | |
| AllowAgentForwarding no
 | |
| X11Forwarding no
 | |
| X11DisplayOffset 10
 | |
| X11UseLocalhost no
 | |
| GatewayPorts no
 | |
| 
 | |
| # Override default of no subsystems to allow SFTP
 | |
| Subsystem	sftp	internal-sftp
 | |
| 
 | |
| # Authentication
 | |
| PubkeyAuthentication yes
 | |
| AuthorizedKeysFile	.ssh/authorized_keys
 | |
| PasswordAuthentication yes
 | |
| UsePAM yes
 | |
| ChallengeResponseAuthentication no
 | |
| HostbasedAuthentication no
 | |
| KerberosAuthentication no
 | |
| GSSAPIAuthentication no
 | |
| PermitRootLogin no
 | |
| PermitEmptyPasswords no
 | |
| 
 | |
| ## By default, only ssh-allow or ldapusers are allowed to sftp
 | |
| AllowGroups ssh sftp ldapuser
 | |
| Match Group ldapuser,sftp
 | |
|     ForceCommand internal-sftp
 | |
|     ChrootDirectory /home
 | |
| 
 | |
| ## Special groups are allowed shell
 | |
| Match Group wheel,ssh-allow
 | |
|     AllowTcpForwarding yes
 | |
|     PermitTunnel yes
 | |
|     AllowAgentForwarding yes
 | |
|     X11Forwarding yes
 | |
|     ForceCommand none
 | |
|     ChrootDirectory none
 | |
| 
 | |
| # Allow other packages to ship snippets
 | |
| Include /etc/ssh/includes/*
 |