|
# /etc/ssh/sshd_config |
|
# sshd_config(5) |
|
# https://man.openbsd.org/sshd_config |
|
# https://www.openssh.com/legacy.html |
|
|
|
AddressFamily inet |
|
# Only use IPv4 |
|
|
|
ListenAddress x.x.x.x |
|
# Default is to listen on all local addresses |
|
# Better to specify an actual IP address to listen on |
|
|
|
Protocol 2 |
|
# Only use protocol version 2 |
|
|
|
LogLevel VERBOSE |
|
# Logs user's key fingerprint on login |
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key |
|
HostKey /etc/ssh/ssh_host_ecdsa_key |
|
# Key files cannot be group/world-accessible |
|
|
|
PermitRootLogin no |
|
# root user cannot login via SSH |
|
|
|
AuthenticationMethods publickey |
|
# Only allow public key authentication for login |
|
|
|
Subsystem sftp internal-sftp |
|
# Use sshd internal SFTP server code (plays nicer with Chroot) |
|
# See https://serverfault.com/a/660325 for differences with |
|
# Subsystem sftp /usr/libexec/openssh/sftp-server |
|
# If you just scp files you can disable this to reduce attack surface |
|
|
|
# Cryptography |
|
|
|
KexAlgorithms curve25519-sha256 |
|
# Allow only curve25519 |
|
|
|
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256 |
|
# Allow only ed25519 or ECDSA keys for client authentication |
|
# ECDSA for Secretive/ Secure Enclave keys |
|
# ed25519 for everything else |
|
|
|
Ciphers [email protected] |
|
# Only use chacha20-poly1305 |
|
# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does |
|
# not encrypt message sizes when GCM (or EtM) is in use. |
|
# This allows some traffic analysis even without decrypting the data. |
|
# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html |
|
|
|
MACs [email protected],[email protected],[email protected] |
|
# Only use encrypt then mac (etm) MACs |
|
# Allow only HMAC-SHA2-512/256 or UMAC-128 |
|
# https://crypto.stackexchange.com/a/56432 |