Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
52 lines (37 sloc)
2.01 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use a custom port in the following range : 1024-65536 | |
| Port 22 | |
| #Prefer ed25519 & ECDSA keys rather than 2048 bit RSA | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_ecdsa_key | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| # Allow root access with ssh keys | |
| PermitRootLogin without-password | |
| # Allow ssh access to some users only | |
| AllowUsers root ubuntu debian | |
| # allow ssh key Authentication | |
| PubkeyAuthentication yes | |
| # ssh keys path in ~/.ssh/authorized_keys | |
| AuthorizedKeysFile %h/.ssh/authorized_keys | |
| # No password or empty passwords Authentication | |
| PasswordAuthentication no | |
| PermitEmptyPasswords no | |
| # No challenge response Authentication | |
| ChallengeResponseAuthentication no | |
| UsePAM yes | |
| X11Forwarding yes | |
| #PrintMotd no | |
| # Allow client to pass locale environment variables | |
| AcceptEnv LANG LC_* | |
| # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. | |
| LogLevel VERBOSE | |
| # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. | |
| Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO | |
| # Host keys the client accepts - order here is honored by OpenSSH | |
| HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 | |
| # use strong ciphers | |
| KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
| # Use kernel sandbox mechanisms where possible in unprivileged processes | |
| # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. | |
| UsePrivilegeSeparation sandbox |