X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=sshd_config;h=0b7d95a33ca8422a4160f65219457d1a9755cca1;hb=363110875986d10c37122e5b430f357520504d8a;hp=c9ee8fc6d11355c9f377734e165ef621de76c375;hpb=cd3e1e08bc5acbe3418af0f202ebb73614da3b9b;p=config%2Fdotfiles.git

diff --git a/sshd_config b/sshd_config
index c9ee8fc..0b7d95a 100644
--- a/sshd_config
+++ b/sshd_config
@@ -3,7 +3,7 @@
 # Some options are set even if they are default to document that they are
 # important and to prevent upstream changes from affecting them.
 
-# Copyright (C) 2013  Simon Ruderich
+# Copyright (C) 2013-2016  Simon Ruderich
 #
 # This file is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,8 +25,14 @@ Port 22
 # Only use protocol 2. Protocol 1 is insecure. (default)
 Protocol 2
 
-# Use privilege separation for increased security.
-UsePrivilegeSeparation yes
+# Stronger algorithms. See ssh_config for details.
+KexAlgorithms diffie-hellman-group-exchange-sha256
+Ciphers aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
+
+# Use privilege separation for increased security. "sandbox" applies
+# additional restrictions on the unprivileged process.
+UsePrivilegeSeparation sandbox
 
 # Don't use PAM because it may circumvent other authentication methods used
 # below (default).
@@ -35,6 +41,7 @@ UsePAM no
 ChallengeResponseAuthentication no
 GSSAPIAuthentication no
 HostbasedAuthentication no
+KbdInteractiveAuthentication no
 KerberosAuthentication no
 PasswordAuthentication no
 # Only enable those I need.
@@ -48,6 +55,12 @@ PermitRootLogin without-password
 # Be strict when checking user file permissions (default).
 StrictModes yes
 
+# Allow more sessions per network connection (e.g. from ControlMaster/-M).
+# When not enough sessions are available this message is sent by ssh:
+# "mux_client_request_session: session request failed: Session open refused by
+# peer".
+MaxSessions 30
+
 # Don't accept any environment variables from the client (default).
 AcceptEnv
 # Don't use ~/.ssh/environment and environment= options in
@@ -55,9 +68,17 @@ AcceptEnv
 # authentications (default).
 PermitUserEnvironment no
 
-# Enable sftp (and sshfs) usage.
-Subsystem sftp internal-sftp
+# Send a message after the given seconds of inactivity through the encrypted
+# channel. Used to detect stale connections more quickly. Not necessary on all
+# servers.
+#ClientAliveInterval 60
+# Disconnect the client if more than max count alive messages were lost
+# (default). With the setting above this detects a broken connection after 3
+# minutes.
+ClientAliveCountMax 3
 
+# Enable sftp (and sshfs) usage. internal-sftp also works in chroots.
+Subsystem sftp internal-sftp
 
 # Only allow logins for certain users.
 AllowUsers root