change sshd_config

This commit is contained in:
Lorenzo Tucci 2022-02-28 20:41:57 +01:00
parent 44e8da2c7f
commit 0e6b8eb810
Signed by untrusted user who does not match committer: yamabiko
GPG key ID: D98C4FA2CDF590A0

View file

@ -1,27 +1,52 @@
HostKey /etc/ssh/ssh_host_rsa_key Protocol 2 # Protocol 1 is fundamentally broken
HostKey /etc/ssh/ssh_host_ecdsa_key StrictModes yes # Protects from misconfiguration
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV #ListenAddress [ip-here] # Listening address
Port 22 # Listening port. Normal 22
AllowGroups sshlogin AuthenticationMethods publickey # Only public key authentication allowed
PermitRootLogin WITHOUT-PASSWORD
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
IgnoreRhosts yes PubkeyAuthentication yes # Allow public key authentication
MaxSessions 4 HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication
MaxAuthTries 4 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts
ClientAliveCountMax 2 KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms
LogLevel VERBOSE Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed
PasswordAuthentication no MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg.
ChallengeResponseAuthentication no
GSSAPIAuthentication no #Only allow incoming ECDSA and ed25519 sessions:
UsePAM yes HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
PrintMotd no PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519
X11Forwarding no #CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE #AllowUsers [username] # Authorized SSH users are inside the admin group
AcceptEnv XMODIFIERS MaxAuthTries 5 # Maximum allowed authentication attempts
Subsystem sftp /usr/lib/openssh/sftp-server MaxSessions 2 # Maximum allowed sessions by the user
PasswordAuthentication no # No username password authentication
PermitEmptyPasswords no # No empty password authentcation allowed
IgnoreRhosts yes # Dont read users rhost files
HostbasedAuthentication no # Disable host-based authentication
ChallengeResponseAuthentication no # Unused authentication scheme
X11Forwarding no # Disable X11 forwarding
LogLevel VERBOSE # Fingerprint details of failed login attempts
SyslogFacility AUTH # Logging authentication and authorization related commands
UseDNS no # Client from a location without proper DNS generate a warning in the logs
PermitTunnel no # Only SSH connection and nothing else
AllowTcpForwarding no # Disablow tunneling out via SSH
AllowStreamLocalForwarding no # Disablow tunneling out via SSH
GatewayPorts no # Disablow tunneling out via SSH
AllowAgentForwarding no # Do not allow agent forwarding
#Banner /etc/issue.net # Show legal login banner
PrintLastLog yes # Show last login
ClientAliveInterval 900 # Client timeout (15 minutes)
ClientAliveCountMax 0 # This way enforces timeouts on the server side
LoginGraceTime 30 # Authenticatin must happen within 30 seconds
MaxStartups 2 # Max concurrent SSH sessions
TCPKeepAlive yes # Do not use TCP keep-alive
AcceptEnv LANG LC_* # Allow client to pass locale environment variables