44 lines
1.0 KiB
Plaintext
44 lines
1.0 KiB
Plaintext
|
# Encryption hardening
|
||
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||
|
|
HostKeyAlgorithms ssh-ed25519
|
||
|
|
KexAlgorithms sntrup761x25519-sha512@openssh.com
|
||
|
|
PubkeyAcceptedKeyTypes ssh-ed25519
|
||
|
|
Ciphers aes256-gcm@openssh.com
|
||
|
|
MACs -*
|
||
|
|
|
||
|
|
# Security hardening
|
||
|
|
AuthenticationMethods publickey
|
||
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
||
|
|
Compression no
|
||
|
|
DisableForwarding yes
|
||
|
|
LoginGraceTime 15s
|
||
|
|
MaxAuthTries 1
|
||
|
|
PermitUserEnvironment no
|
||
|
|
PermitUserRC no
|
||
|
|
StrictModes yes
|
||
|
|
UseDNS no
|
||
|
|
|
||
|
|
# Use KeepAlive over SSH instead of with TCP to prevent spoofing
|
||
|
|
TCPKeepAlive no
|
||
|
|
ClientAliveInterval 15
|
||
|
|
ClientAliveCountMax 4
|
||
|
|
|
||
|
|
## Use PAM for session checks here but authentication is disabled below
|
||
|
|
## Also, this prevents running sshd as non-root
|
||
|
|
UsePAM yes
|
||
|
|
|
||
|
|
# Disabling unused authentication methods
|
||
|
|
ChallengeResponseAuthentication no
|
||
|
|
GSSAPIAuthentication no
|
||
|
|
HostbasedAuthentication no
|
||
|
|
PasswordAuthentication no
|
||
|
|
PermitRootLogin no
|
||
|
|
PermitEmptyPasswords no
|
||
|
|
KbdInteractiveAuthentication no
|
||
|
|
KerberosAuthentication no
|
||
|
|
|
||
|
|
# Displaying info
|
||
|
|
Banner /etc/issue.net
|
||
|
|
PrintLastLog yes
|
||
|
|
PrintMotd yes
|