From 15b9dea7a95765f1f3c09fe0dcb2ea5b5cb669c1 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Fri, 4 Aug 2023 14:18:08 +0200 Subject: import some common modules --- digitalocean/server/etc/sshd_config | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 digitalocean/server/etc/sshd_config (limited to 'digitalocean/server/etc/sshd_config') diff --git a/digitalocean/server/etc/sshd_config b/digitalocean/server/etc/sshd_config new file mode 100644 index 0000000..ae08408 --- /dev/null +++ b/digitalocean/server/etc/sshd_config @@ -0,0 +1,39 @@ +Protocol 2 +Port ${port} + +# Drop idle sessions: +ClientAliveCountMax 3 +ClientAliveInterval 15 + +# Allow reverse tunnels: +GatewayPorts yes + +# Miscellaneous: +PrintMotd no + +# Hardening. +# Source: https://infosec.mozilla.org/guidelines/openssh.html + +# Only Ed25519: +HostKey /etc/ssh/ssh_host_ed25519_key + +# Only the first choices for ciphers: +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + +# No password login: +PasswordAuthentication no +AuthenticationMethods publickey +# Whitelist users: +PermitRootLogin no +AllowGroups ${join(" ", users)} + +# Log things: +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Whitelist accepted environment variables: +AcceptEnv LANG LC_* + +# Why the fuck would I need X11 forwarding? +X11Forwarding no -- cgit v1.2.3