X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=shell%2Fsshd_config;fp=shell%2Fsshd_config;h=0b7d95a33ca8422a4160f65219457d1a9755cca1;hb=29fe133e2b4ca2a25342fa9a4c3e661bc38895f2;hp=0000000000000000000000000000000000000000;hpb=3e17e82d591782b4750382b00c5bf6ee96eddedf;p=config%2Fdotfiles.git diff --git a/shell/sshd_config b/shell/sshd_config new file mode 100644 index 0000000..0b7d95a --- /dev/null +++ b/shell/sshd_config @@ -0,0 +1,84 @@ +# SSH daemon configuration file. +# +# Some options are set even if they are default to document that they are +# important and to prevent upstream changes from affecting them. + +# Copyright (C) 2013-2016 Simon Ruderich +# +# This file is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This file is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this file. If not, see . + + +# Listen on port 22 (default). +Port 22 + +# Only use protocol 2. Protocol 1 is insecure. (default) +Protocol 2 + +# Stronger algorithms. See ssh_config for details. +KexAlgorithms diffie-hellman-group-exchange-sha256 +Ciphers aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 + +# Use privilege separation for increased security. "sandbox" applies +# additional restrictions on the unprivileged process. +UsePrivilegeSeparation sandbox + +# Don't use PAM because it may circumvent other authentication methods used +# below (default). +UsePAM no +# Disable authentication methods I don't use. +ChallengeResponseAuthentication no +GSSAPIAuthentication no +HostbasedAuthentication no +KbdInteractiveAuthentication no +KerberosAuthentication no +PasswordAuthentication no +# Only enable those I need. +PubkeyAuthentication yes + +# Don't allow empty passwords (default). +PermitEmptyPasswords no +# Allow root-login only with public keys. +PermitRootLogin without-password + +# Be strict when checking user file permissions (default). +StrictModes yes + +# Allow more sessions per network connection (e.g. from ControlMaster/-M). +# When not enough sessions are available this message is sent by ssh: +# "mux_client_request_session: session request failed: Session open refused by +# peer". +MaxSessions 30 + +# Don't accept any environment variables from the client (default). +AcceptEnv +# Don't use ~/.ssh/environment and environment= options in +# ~/.ssh/authorized_keys because LD_PRELOAD could be used to circumvent +# authentications (default). +PermitUserEnvironment no + +# Send a message after the given seconds of inactivity through the encrypted +# channel. Used to detect stale connections more quickly. Not necessary on all +# servers. +#ClientAliveInterval 60 +# Disconnect the client if more than max count alive messages were lost +# (default). With the setting above this detects a broken connection after 3 +# minutes. +ClientAliveCountMax 3 + +# Enable sftp (and sshfs) usage. internal-sftp also works in chroots. +Subsystem sftp internal-sftp + +# Only allow logins for certain users. +AllowUsers root