1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
# vim:set ft=sshdconfig
HostKey /srv/code/hostkeys/rsa_key
HostKey /srv/code/hostkeys/ed25519_key
Protocol 2
# Bind a port above 1024 so we can run ssh as an unpriviledged user
Port 9001
SyslogFacility AUTH
LogLevel INFO
StrictModes yes
PidFile none
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
ChallengeResponseAuthentication no
# Limit the number of authentication attemps per connection. SSH will log
# failues once attempts reach half this number so this should also log all
# authentication failures as well.
PermitTTY no
MaxAuthTries 2
# This turns off reverse lookups of the originating host which hang sshd
# on DNS timeouts when DNS is down. This also breaks "from=" lines in
# authorizd_keys files which must be converted to dotted quad ip addrs.
UseDNS no
AcceptEnv LANG LC_*
# Disconnect after this period of time if the user hasn't provided
# a correct password.
LoginGraceTime 120
# After 66 seconds of inactivity, request a keep-alive from the
# client. If they don't respond after ten requests, kill the
# connection.
ClientAliveInterval 66
ClientAliveCountMax 10
# Allow up to 100 simultaneous unauthenticated connections. Any
# connections beyond that limit will be dropped.
MaxStartups 100
# The maxiumum number of sessions which can be served on one
# multi-plexing connection. ssh does not fail gracefully when this
# number is exceeded, so we keep it high.
MaxSessions 100
X11Forwarding no
PrintMotd no
# Used hardened crypto algorithms
# Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# And also: https://access.redhat.com/discussions/3121481
# And also: https://infosec.mozilla.org/guidelines/openssh
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|