87 lines
2.2 KiB
Text
87 lines
2.2 KiB
Text
|
# TCP port to bind to
|
|||
|
# Change to a high/odd port if this server is exposed to the internet directly
|
|||
|
Port 7743
|
|||
|
|
|||
|
# Deny all other users besides the following
|
|||
|
AllowUsers {{ user }}
|
|||
|
|
|||
|
# Bind to all interfaces (change to specific interface if needed)
|
|||
|
ListenAddress 0.0.0.0
|
|||
|
|
|||
|
# Force SSHv2 Protocol
|
|||
|
Protocol 2
|
|||
|
|
|||
|
# HostKeys for protocol version 2
|
|||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|||
|
HostKey /etc/ssh/ssh_host_dsa_key
|
|||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|||
|
|
|||
|
HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
|
|||
|
|
|||
|
# Privilege Separation is turned on for security
|
|||
|
UsePrivilegeSeparation yes
|
|||
|
|
|||
|
# Public key authentication + Password authentication
|
|||
|
# Two-Factor Authentication in OpenSSH v6.2+
|
|||
|
RSAAuthentication yes
|
|||
|
PubkeyAuthentication yes
|
|||
|
AuthenticationMethods publickey
|
|||
|
|
|||
|
# Disable root SSH access
|
|||
|
PermitRootLogin no
|
|||
|
|
|||
|
# Client timeout (5 minutes)
|
|||
|
ClientAliveInterval 300
|
|||
|
ClientAliveCountMax 0
|
|||
|
|
|||
|
# Compression (only after authentication)
|
|||
|
Compression delayed
|
|||
|
|
|||
|
# Logging
|
|||
|
SyslogFacility AUTH
|
|||
|
LogLevel INFO
|
|||
|
|
|||
|
# Authentication must happen within 30 seconds
|
|||
|
LoginGraceTime 30
|
|||
|
|
|||
|
PermitEmptyPasswords no
|
|||
|
|
|||
|
# Check user folder permissions before allowing access
|
|||
|
StrictModes yes
|
|||
|
|
|||
|
# Message Authentication Code (Hash, only SHA2-512)
|
|||
|
# SHA-256 included for compat with PuTTY-WinCrypt clients
|
|||
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
|||
|
|
|||
|
# Ciphers (only secure AES-256)
|
|||
|
Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
|||
|
|
|||
|
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
|
|||
|
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
|
|||
|
KexAlgorithms diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org
|
|||
|
|
|||
|
# Don’t read the user’s ~/.rhosts and ~/.shosts files
|
|||
|
IgnoreRhosts yes
|
|||
|
|
|||
|
# Disable unused authentication schemes
|
|||
|
RhostsRSAAuthentication no
|
|||
|
HostbasedAuthentication no
|
|||
|
ChallengeResponseAuthentication no
|
|||
|
KerberosAuthentication no
|
|||
|
GSSAPIAuthentication no
|
|||
|
UsePAM no
|
|||
|
|
|||
|
# X11 support
|
|||
|
X11Forwarding no
|
|||
|
|
|||
|
# Don’t show Message of the Day
|
|||
|
PrintMotd yes
|
|||
|
|
|||
|
# TCPKeepAlive (non-tunneled, disabled)
|
|||
|
TCPKeepAlive no
|
|||
|
|
|||
|
# Allow client to pass locale environment variables
|
|||
|
AcceptEnv LANG LC_*
|
|||
|
|
|||
|
Subsystem sftp internal-sftp
|