2020-01-28 20:39:42 +00:00
# TCP port to bind to
# Change to a high/odd port if this server is exposed to the internet directly
2020-12-27 22:39:33 +00:00
Port {{ ssh_port }}
2020-01-28 20:39:42 +00:00
2021-08-23 19:56:04 +01:00
AllowUsers {% if hostname_slug in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
2020-01-28 20:39:42 +00:00
# Bind to all interfaces (change to specific interface if needed)
ListenAddress 0.0.0.0
# Force SSHv2 Protocol
Protocol 2
2020-05-23 11:45:53 +01:00
HostKey /etc/ssh/ssh_host_ed25519_key
2020-01-28 20:39:42 +00:00
# Public key authentication + Password authentication
# Two-Factor Authentication in OpenSSH v6.2+
PubkeyAuthentication yes
AuthenticationMethods publickey
# Disable root SSH access
PermitRootLogin no
2020-01-28 21:04:26 +00:00
# Client timeout
2020-11-08 22:04:30 +00:00
ClientAliveInterval 60
ClientAliveCountMax 100
2020-01-28 20:39:42 +00:00
# Compression (only after authentication)
Compression delayed
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication must happen within 30 seconds
LoginGraceTime 30
PermitEmptyPasswords no
# Check user folder permissions before allowing access
StrictModes yes
# Message Authentication Code (Hash, only SHA2-512)
# SHA-256 included for compat with PuTTY-WinCrypt clients
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# Ciphers (only secure AES-256)
Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
2020-01-28 21:04:26 +00:00
KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
2020-01-28 20:39:42 +00:00
2020-01-28 21:04:26 +00:00
# Don't read the user's ~/.rhosts and ~/.shosts files
2020-01-28 20:39:42 +00:00
IgnoreRhosts yes
# Disable unused authentication schemes
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no
# X11 support
X11Forwarding no
2020-01-28 21:04:26 +00:00
# Don't show Message of the Day
2020-01-28 20:39:42 +00:00
PrintMotd yes
# TCPKeepAlive (non-tunneled, disabled)
TCPKeepAlive no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp