{% if hardening_sshd_enabled %} Protocol 2 # Protocol 1 is fundamentally broken StrictModes yes # Protects from misconfiguration #ListenAddress [ip-here] # Listening address Port {{ hardening_sshd_port }} # Listening port. Normal 22 AuthenticationMethods publickey # Only public key authentication allowed AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }} PubkeyAuthentication yes # Allow public key authentication HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg. #Only allow incoming ECDSA and ed25519 sessions: HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519 #CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login #AllowUsers [username] # Authorized SSH users are inside the admin group MaxAuthTries 5 # Maximum allowed authentication attempts MaxSessions 2 # Maximum allowed sessions by the user PasswordAuthentication no # No username password authentication PermitEmptyPasswords no # No empty password authentcation allowed IgnoreRhosts yes # Dont read users rhost files HostbasedAuthentication no # Disable host-based authentication ChallengeResponseAuthentication no # Unused authentication scheme X11Forwarding no # Disable X11 forwarding LogLevel VERBOSE # Fingerprint details of failed login attempts SyslogFacility AUTH # Logging authentication and authorization related commands UseDNS no # Client from a location without proper DNS generate a warning in the logs PermitTunnel no # Only SSH connection and nothing else AllowTcpForwarding {{ 'yes' if hardening_sshd_tcp_forward else 'no' }} # Disablow tunneling out via SSH AllowStreamLocalForwarding no # Disablow tunneling out via SSH GatewayPorts no # Disablow tunneling out via SSH AllowAgentForwarding no # Do not allow agent forwarding {% if hardening_sshd_legal_banner %} Banner /etc/issue.net # Show legal login banner {% endif %} PrintLastLog yes # Show last login ClientAliveInterval 900 # Client timeout (15 minutes) ClientAliveCountMax 0 # This way enforces timeouts on the server side LoginGraceTime 30 # Authenticatin must happen within 30 seconds MaxStartups 2 # Max concurrent SSH sessions TCPKeepAlive yes # Do not use TCP keep-alive AcceptEnv LANG LC_* # Allow client to pass locale environment variables {% endif %}