X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=sshd_config;h=47d857762fd8fd647763a2f2f38615279c872b78;hb=b2a118a0ad79bcee7bd83925ac9df338d6087f2f;hp=8f21c33a43a5e7b376ae8dc58bc75152a8e1ab4e;hpb=1fb61af84ab18d053a2fcb5f0cbb35e0a9c5965a;p=config%2Fdotfiles.git diff --git a/sshd_config b/sshd_config index 8f21c33..47d8577 100644 --- a/sshd_config +++ b/sshd_config @@ -3,7 +3,7 @@ # Some options are set even if they are default to document that they are # important and to prevent upstream changes from affecting them. -# Copyright (C) 2013 Simon Ruderich +# Copyright (C) 2013-2014 Simon Ruderich # # This file is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -25,8 +25,14 @@ Port 22 # Only use protocol 2. Protocol 1 is insecure. (default) Protocol 2 -# Use privilege separation for increased security. -UsePrivilegeSeparation yes +# Stronger algorithms. See ssh_config for details. +KexAlgorithms diffie-hellman-group-exchange-sha256 +Ciphers aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 + +# Use privilege separation for increased security. "sandbox" applies +# additional restrictions on the unprivileged process. +UsePrivilegeSeparation sandbox # Don't use PAM because it may circumvent other authentication methods used # below (default). @@ -48,6 +54,12 @@ PermitRootLogin without-password # Be strict when checking user file permissions (default). StrictModes yes +# Allow more sessions per network connection (e.g. from ControlMaster/-M). +# When not enough sessions are available this message is sent by ssh: +# "mux_client_request_session: session request failed: Session open refused by +# peer". +MaxSessions 30 + # Don't accept any environment variables from the client (default). AcceptEnv # Don't use ~/.ssh/environment and environment= options in @@ -55,6 +67,18 @@ AcceptEnv # authentications (default). PermitUserEnvironment no +# Send a message after the given seconds of inactivity through the encrypted +# channel. Used to detect stale connections more quickly. Not necessary on all +# servers. +#ClientAliveInterval 60 +# Disconnect the client if more than max count alive messages were lost +# (default). With the setting above this detects a broken connection after 3 +# minutes. +ClientAliveCountMax 3 + +# Enable sftp (and sshfs) usage. internal-sftp also works in chroots. +Subsystem sftp internal-sftp + # Only allow logins for certain users. AllowUsers root