blob: ae084082b14539f2224ba82f3f5d565ef33a4e4b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
Protocol 2
Port ${port}
# Drop idle sessions:
ClientAliveCountMax 3
ClientAliveInterval 15
# Allow reverse tunnels:
GatewayPorts yes
# Miscellaneous:
PrintMotd no
# Hardening.
# Source: https://infosec.mozilla.org/guidelines/openssh.html
# Only Ed25519:
HostKey /etc/ssh/ssh_host_ed25519_key
# Only the first choices for ciphers:
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# No password login:
PasswordAuthentication no
AuthenticationMethods publickey
# Whitelist users:
PermitRootLogin no
AllowGroups ${join(" ", users)}
# Log things:
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Whitelist accepted environment variables:
AcceptEnv LANG LC_*
# Why the fuck would I need X11 forwarding?
X11Forwarding no
|