Kapisi/roles/SSH/files/sshd_config
2020-10-08 16:33:19 -05:00

60 lines
1.4 KiB
Plaintext

### AniNIX::SSH \\ Basic configuration for listening daemon ###
# Daemon spec #
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance #
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options #
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP #
Subsystem sftp /usr/lib/ssh/sftp-server
# Authentication #
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no
## Access Controls ###
Match Group ssh-forward
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
Match Group sftp-home-jail
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
ChrootDirectory /home # Lock the user in their home directory
Match User crypto
ForceCommand /usr/local/bin/captivecrypto