53 lines
2.0 KiB
Plaintext
53 lines
2.0 KiB
Plaintext
# Use a custom port in the following range : 1024-65536
|
|
Port 22
|
|
|
|
#Prefer ed25519 & ECDSA keys rather than 2048 bit RSA
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
# Allow root access with ssh keys
|
|
PermitRootLogin without-password
|
|
|
|
# Allow ssh access to some users only
|
|
AllowUsers root ubuntu debian
|
|
|
|
# allow ssh key Authentication
|
|
PubkeyAuthentication yes
|
|
|
|
# ssh keys path in ~/.ssh/authorized_keys
|
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
|
|
# No password or empty passwords Authentication
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# No challenge response Authentication
|
|
ChallengeResponseAuthentication no
|
|
|
|
UsePAM yes
|
|
X11Forwarding yes
|
|
|
|
#PrintMotd no
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
|
|
LogLevel VERBOSE
|
|
|
|
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
|
|
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
|
|
|
# Host keys the client accepts - order here is honored by OpenSSH
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
|
|
|
|
# use strong ciphers
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# Use kernel sandbox mechanisms where possible in unprivileged processes
|
|
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
|
|
UsePrivilegeSeparation sandbox
|