# TCP port to bind to # Change to a high/odd port if this server is exposed to the internet directly Port {{ ssh_port }} AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0 # Force SSHv2 Protocol Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key # Public key authentication + Password authentication # Two-Factor Authentication in OpenSSH v6.2+ PubkeyAuthentication yes AuthenticationMethods publickey # Disable root SSH access PermitRootLogin no # Client timeout ClientAliveInterval 60 ClientAliveCountMax 100 # Compression (only after authentication) Compression delayed # Logging SyslogFacility AUTH LogLevel INFO # Authentication must happen within 30 seconds LoginGraceTime 30 PermitEmptyPasswords no # Check user folder permissions before allowing access StrictModes yes # Message Authentication Code (Hash, only SHA2-512) # SHA-256 included for compat with PuTTY-WinCrypt clients MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com # Ciphers (only secure AES-256) Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com # Key Exchange algorithms (Elliptic Curve Diffie-Hellman) # DH-SHA-256 included for compat with PuTTY-WinCrypt clients KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512 # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Disable unused authentication schemes HostbasedAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM no # X11 support X11Forwarding no # Don't show Message of the Day PrintMotd yes # TCPKeepAlive (non-tunneled, disabled) TCPKeepAlive no # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp