86 lines
2.2 KiB
Text
86 lines
2.2 KiB
Text
# TCP port to bind to
|
|
# Change to a high/odd port if this server is exposed to the internet directly
|
|
Port 7743
|
|
|
|
# Deny all other users besides the following
|
|
AllowUsers {{ user }}
|
|
|
|
# Bind to all interfaces (change to specific interface if needed)
|
|
ListenAddress 0.0.0.0
|
|
|
|
# Force SSHv2 Protocol
|
|
Protocol 2
|
|
|
|
# HostKeys for protocol version 2
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_dsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256
|
|
|
|
# Privilege Separation is turned on for security
|
|
UsePrivilegeSeparation yes
|
|
|
|
# Public key authentication + Password authentication
|
|
# Two-Factor Authentication in OpenSSH v6.2+
|
|
RSAAuthentication yes
|
|
PubkeyAuthentication yes
|
|
AuthenticationMethods publickey
|
|
|
|
# Disable root SSH access
|
|
PermitRootLogin no
|
|
|
|
# Client timeout (5 minutes)
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 0
|
|
|
|
# Compression (only after authentication)
|
|
Compression delayed
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# Authentication must happen within 30 seconds
|
|
LoginGraceTime 30
|
|
|
|
PermitEmptyPasswords no
|
|
|
|
# Check user folder permissions before allowing access
|
|
StrictModes yes
|
|
|
|
# Message Authentication Code (Hash, only SHA2-512)
|
|
# SHA-256 included for compat with PuTTY-WinCrypt clients
|
|
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
|
|
|
|
# Ciphers (only secure AES-256)
|
|
Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
|
|
|
|
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
|
|
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
|
|
KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256@libssh.org
|
|
|
|
# Don’t read the user’s ~/.rhosts and ~/.shosts files
|
|
IgnoreRhosts yes
|
|
|
|
# Disable unused authentication schemes
|
|
RhostsRSAAuthentication no
|
|
HostbasedAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
KerberosAuthentication no
|
|
GSSAPIAuthentication no
|
|
UsePAM no
|
|
|
|
# X11 support
|
|
X11Forwarding no
|
|
|
|
# Don’t show Message of the Day
|
|
PrintMotd yes
|
|
|
|
# TCPKeepAlive (non-tunneled, disabled)
|
|
TCPKeepAlive no
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
Subsystem sftp internal-sftp
|