virtubox
/
ubuntu-nginx-web-server
mirror of https://github.com/VirtuBox/ubuntu-nginx-web-server
1
0
Fork 0
Code Issues Releases Wiki Activity
ubuntu-nginx-web-server/etc/ssh/sshd_config

53 lines
2.0 KiB
Plaintext
Raw Blame History

# Use a custom port in the following range : 1024-65536
Port 22
#Prefer ed25519 & ECDSA keys rather than 2048 bit RSA
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Allow root access with ssh keys
PermitRootLogin without-password
# Allow ssh access to some users only
AllowUsers root ubuntu debian
# allow ssh key Authentication
PubkeyAuthentication yes
# ssh keys path in ~/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys
# No password or empty passwords Authentication
PasswordAuthentication no
PermitEmptyPasswords no
# No challenge response Authentication
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
#PrintMotd no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Host keys the client accepts - order here is honored by OpenSSH
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
# use strong ciphers
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox
Reference in New Issue View Git Blame Copy Permalink