aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/etc/sshd_config
diff options
context:
space:
mode:
Diffstat (limited to 'etc/sshd_config')
-rw-r--r--etc/sshd_config39
1 files changed, 39 insertions, 0 deletions
diff --git a/etc/sshd_config b/etc/sshd_config
new file mode 100644
index 0000000..ae08408
--- /dev/null
+++ b/etc/sshd_config
@@ -0,0 +1,39 @@
+Protocol 2
+Port ${port}
+
+# Drop idle sessions:
+ClientAliveCountMax 3
+ClientAliveInterval 15
+
+# Allow reverse tunnels:
+GatewayPorts yes
+
+# Miscellaneous:
+PrintMotd no
+
+# Hardening.
+# Source: https://infosec.mozilla.org/guidelines/openssh.html
+
+# Only Ed25519:
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Only the first choices for ciphers:
+KexAlgorithms curve25519-sha256@libssh.org
+Ciphers chacha20-poly1305@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# No password login:
+PasswordAuthentication no
+AuthenticationMethods publickey
+# Whitelist users:
+PermitRootLogin no
+AllowGroups ${join(" ", users)}
+
+# Log things:
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Whitelist accepted environment variables:
+AcceptEnv LANG LC_*
+
+# Why the fuck would I need X11 forwarding?
+X11Forwarding no