X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=sshd_config;h=0b7d95a33ca8422a4160f65219457d1a9755cca1;hb=b861528c1b6fc183d49daf18deb1ca485af5b9da;hp=8c73565cca2d7bf06b768e98619524f0c83061e4;hpb=6c216327e1dd81d3adfa60f278b4deebeb55f5b0;p=config%2Fdotfiles.git diff --git a/sshd_config b/sshd_config index 8c73565..0b7d95a 100644 --- a/sshd_config +++ b/sshd_config @@ -3,7 +3,7 @@ # Some options are set even if they are default to document that they are # important and to prevent upstream changes from affecting them. -# Copyright (C) 2013 Simon Ruderich +# Copyright (C) 2013-2016 Simon Ruderich # # This file is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -25,8 +25,14 @@ Port 22 # Only use protocol 2. Protocol 1 is insecure. (default) Protocol 2 -# Use privilege separation for increased security. -UsePrivilegeSeparation yes +# Stronger algorithms. See ssh_config for details. +KexAlgorithms diffie-hellman-group-exchange-sha256 +Ciphers aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 + +# Use privilege separation for increased security. "sandbox" applies +# additional restrictions on the unprivileged process. +UsePrivilegeSeparation sandbox # Don't use PAM because it may circumvent other authentication methods used # below (default). @@ -35,6 +41,7 @@ UsePAM no ChallengeResponseAuthentication no GSSAPIAuthentication no HostbasedAuthentication no +KbdInteractiveAuthentication no KerberosAuthentication no PasswordAuthentication no # Only enable those I need. @@ -51,8 +58,8 @@ StrictModes yes # Allow more sessions per network connection (e.g. from ControlMaster/-M). # When not enough sessions are available this message is sent by ssh: # "mux_client_request_session: session request failed: Session open refused by -# peer". Not necessary on all servers, therefore deactivated here. -#MaxSessions 30 +# peer". +MaxSessions 30 # Don't accept any environment variables from the client (default). AcceptEnv @@ -63,16 +70,15 @@ PermitUserEnvironment no # Send a message after the given seconds of inactivity through the encrypted # channel. Used to detect stale connections more quickly. Not necessary on all -# servers, therefore deactivated here. +# servers. #ClientAliveInterval 60 # Disconnect the client if more than max count alive messages were lost # (default). With the setting above this detects a broken connection after 3 # minutes. ClientAliveCountMax 3 -# Enable sftp (and sshfs) usage. +# Enable sftp (and sshfs) usage. internal-sftp also works in chroots. Subsystem sftp internal-sftp - # Only allow logins for certain users. AllowUsers root