0xmachos · December 21, 2021 16:28
diff --git a/commands.md b/commands.md
diff --git a/sshd_config b/sshd_config
 # /etc/ssh/sshd_config 
 # sshd_config(5)
 # https://man.openbsd.org/sshd_config
 # https://www.openssh.com/legacy.html

 AddressFamily inet 
 # Only use IPv4 

 ListenAddress x.x.x.x 
 # Default is to listen on all local addresses 
 # Better to specify an actual IP address to listen on 

 Protocol 2 
 # Only use protocol version 2 

 LogLevel VERBOSE 
 # Logs user's key fingerprint on login 

 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 # Key files cannot be group/world-accessible 

 PermitRootLogin no 
 # root user cannot login via SSH 

 AuthenticationMethods publickey 
 # Only allow public key authentication for login 

 Subsystem sftp internal-sftp 
 # Use sshd internal SFTP server code (plays nicer with Chroot) 
 # See https://serverfault.com/a/660325 for differences with 
 # Subsystem sftp /usr/libexec/openssh/sftp-server 
 # If you just scp files you can disable this to reduce attack surface 

 # Cryptography 

 KexAlgorithms curve25519-sha256
 # Allow only curve25519

 HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256
 # Allow only ed25519 or ECDSA keys for client authentication
 # ECDSA for Secretive/ Secure Enclave keys
 # ed25519 for everything else

 Ciphers [email protected]
 # Only use chacha20-poly1305
 # Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does 
 #   not encrypt message sizes when GCM (or EtM) is in use. 
 #   This allows some traffic analysis even without decrypting the data.
 #   See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

 MACs [email protected],[email protected],[email protected]
 # Only use encrypt then mac (etm) MACs
 # Allow only HMAC-SHA2-512/256 or UMAC-128
 #   https://crypto.stackexchange.com/a/56432
	# /etc/ssh/sshd_config
	# sshd_config(5)
	# https://man.openbsd.org/sshd_config
	# https://www.openssh.com/legacy.html

	AddressFamily inet
	# Only use IPv4

	ListenAddress x.x.x.x
	# Default is to listen on all local addresses
	# Better to specify an actual IP address to listen on

	Protocol 2
	# Only use protocol version 2

	LogLevel VERBOSE
	# Logs user's key fingerprint on login

	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_ecdsa_key
	# Key files cannot be group/world-accessible

	PermitRootLogin no
	# root user cannot login via SSH

	AuthenticationMethods publickey
	# Only allow public key authentication for login

	Subsystem sftp internal-sftp
	# Use sshd internal SFTP server code (plays nicer with Chroot)
	# See https://serverfault.com/a/660325 for differences with
	# Subsystem sftp /usr/libexec/openssh/sftp-server
	# If you just scp files you can disable this to reduce attack surface

	# Cryptography

	KexAlgorithms curve25519-sha256
	# Allow only curve25519

	HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256
	# Allow only ed25519 or ECDSA keys for client authentication
	# ECDSA for Secretive/ Secure Enclave keys
	# ed25519 for everything else

	Ciphers [email protected]
	# Only use chacha20-poly1305
	# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does
	# not encrypt message sizes when GCM (or EtM) is in use.
	# This allows some traffic analysis even without decrypting the data.
	# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

	MACs [email protected],[email protected],[email protected]
	# Only use encrypt then mac (etm) MACs
	# Allow only HMAC-SHA2-512/256 or UMAC-128
	# https://crypto.stackexchange.com/a/56432