diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 09:54:55 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 10:11:44 +0200 |
commit | 36e8355355b0d582f9ffb432f1b83d3f62ac2e94 (patch) | |
tree | c4625554ae25eadb57846c8d300d5f942b5607b1 | |
parent | cloud-init: upgrade packages (diff) | |
download | infra-terraform-36e8355355b0d582f9ffb432f1b83d3f62ac2e94.tar.gz infra-terraform-36e8355355b0d582f9ffb432f1b83d3f62ac2e94.zip |
sshd: minimize initial sshd_configv1.0.0
Make it less opinionated, more essential.
-rw-r--r-- | etc/sshd_config | 40 |
1 files changed, 5 insertions, 35 deletions
diff --git a/etc/sshd_config b/etc/sshd_config index ae08408..65b77c6 100644 --- a/etc/sshd_config +++ b/etc/sshd_config @@ -1,39 +1,9 @@ -Protocol 2 Port ${port} - -# Drop idle sessions: -ClientAliveCountMax 3 -ClientAliveInterval 15 - -# Allow reverse tunnels: -GatewayPorts yes - -# Miscellaneous: -PrintMotd no - -# Hardening. -# Source: https://infosec.mozilla.org/guidelines/openssh.html - -# Only Ed25519: -HostKey /etc/ssh/ssh_host_ed25519_key - -# Only the first choices for ciphers: -KexAlgorithms curve25519-sha256@libssh.org -Ciphers chacha20-poly1305@openssh.com -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com - -# No password login: -PasswordAuthentication no -AuthenticationMethods publickey -# Whitelist users: PermitRootLogin no AllowGroups ${join(" ", users)} - -# Log things: -Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO - -# Whitelist accepted environment variables: +PasswordAuthentication no +ChallengeResponseAuthentication no +AuthenticationMethods publickey +PrintMotd no AcceptEnv LANG LC_* - -# Why the fuck would I need X11 forwarding? -X11Forwarding no +Subsystem sftp /usr/lib/openssh/sftp-server |