# SSH daemon configuration file. # # Some options are set even if they are default to document that they are # important and to prevent upstream changes from affecting them. # Copyright (C) 2013-2016 Simon Ruderich # # This file is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This file is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this file. If not, see . # Listen on port 22 (default). Port 22 # Only use protocol 2. Protocol 1 is insecure. (default) Protocol 2 # Stronger algorithms. See ssh_config for details. KexAlgorithms diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512 Ciphers aes256-ctr MACs hmac-sha2-512-etm@openssh.com HostKeyAlgorithms rsa-sha2-512 PubkeyAcceptedKeyTypes -ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com # Don't use PAM because it may circumvent other authentication methods used # below (default). UsePAM no # Disable authentication methods I don't use. ChallengeResponseAuthentication no GSSAPIAuthentication no HostbasedAuthentication no KbdInteractiveAuthentication no KerberosAuthentication no PasswordAuthentication no # Only enable those I need. PubkeyAuthentication yes # Don't allow empty passwords (default). PermitEmptyPasswords no # Allow root-login only with public keys (default). PermitRootLogin prohibit-password # Be strict when checking user file permissions (default). StrictModes yes # Allow more sessions per network connection (e.g. from ControlMaster/-M). # When not enough sessions are available this message is sent by ssh: # "mux_client_request_session: session request failed: Session open refused by # peer". MaxSessions 30 # Don't accept any environment variables from the client (default). AcceptEnv # Don't use ~/.ssh/environment and environment= options in # ~/.ssh/authorized_keys because LD_PRELOAD could be used to circumvent # authentications (default). PermitUserEnvironment no # Send a message after the given seconds of inactivity through the encrypted # channel. Used to detect stale connections more quickly. Not necessary on all # servers. #ClientAliveInterval 60 # Disconnect the client if more than max count alive messages were lost # (default). With the setting above this detects a broken connection after 3 # minutes. ClientAliveCountMax 3 # Enable sftp (and sshfs) usage. internal-sftp also works in chroots. Subsystem sftp internal-sftp # Only allow logins for certain users. AllowUsers root