Kapisi/roles/SSH/files/sshd_config

64 lines
1.5 KiB
Plaintext

### AniNIX/SSH | Basic configuration for listening daemon ###
# Daemon spec
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP
Subsystem sftp internal-sftp
# Authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
## By default, only ssh-allow or ldapusers are allowed to sftp
AllowGroups ssh sftp ldapuser
Match Group ldapuser,sftp
ForceCommand internal-sftp
ChrootDirectory /home
## Special groups are allowed shell
Match Group wheel,ssh-allow
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
ForceCommand none
ChrootDirectory none
# Allow other packages to ship snippets
Include /etc/ssh/includes/*