Created
May 30, 2019 02:30
-
-
Save MatthewVance/1586a4ea5f9d59ce79a02e1d581428f0 to your computer and use it in GitHub Desktop.
OpenSSH SSH daemon configuration example for Raspberry Pi, customized to improve security.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Package generated configuration file | |
| # See the sshd_config(5) manpage for details | |
| # What ports, IPs and protocols we listen for | |
| Port 22 | |
| # Use these options to restrict which interfaces/protocols sshd will bind to | |
| #ListenAddress :: | |
| ##ListenAddress 192.168.1.2 | |
| Protocol 2 | |
| # HostKeys for protocol version 2 | |
| HostKey /etc/ssh/ssh_host_rsa_key | |
| HostKey /etc/ssh/ssh_host_dsa_key | |
| #HostKey /etc/ssh/ssh_host_ecdsa_key | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| #Privilege Separation is turned on for security | |
| UsePrivilegeSeparation sandbox | |
| # Lifetime and size of ephemeral version 1 server key | |
| KeyRegenerationInterval 3600 | |
| ServerKeyBits 1024 | |
| # Logging | |
| SyslogFacility AUTH | |
| LogLevel INFO | |
| # Authentication: | |
| LoginGraceTime 60 | |
| PermitRootLogin no | |
| StrictModes yes | |
| AllowUsers pi | |
| RSAAuthentication no | |
| PubkeyAuthentication yes | |
| #AuthorizedKeysFile %h/.ssh/authorized_keys | |
| AuthorizedKeysFile /var/openssh/%u/authorized_keys | |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| IgnoreRhosts yes | |
| # For this to work you will also need host keys in /etc/ssh_known_hosts | |
| RhostsRSAAuthentication no | |
| # similar for protocol version 2 | |
| HostbasedAuthentication no | |
| # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
| IgnoreUserKnownHosts yes | |
| # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
| PermitEmptyPasswords no | |
| # Change to yes to enable challenge-response passwords (beware issues with | |
| # some PAM modules and threads) | |
| ChallengeResponseAuthentication no | |
| # Change to no to disable tunnelled clear text passwords | |
| PasswordAuthentication no | |
| # Kerberos options | |
| #KerberosAuthentication no | |
| #KerberosGetAFSToken no | |
| #KerberosOrLocalPasswd yes | |
| #KerberosTicketCleanup yes | |
| # GSSAPI options | |
| #GSSAPIAuthentication no | |
| #GSSAPICleanupCredentials yes | |
| X11Forwarding no | |
| X11DisplayOffset 10 | |
| PrintMotd no | |
| PrintLastLog yes | |
| TCPKeepAlive no | |
| ClientAliveInterval 60 | |
| ClientAliveCountMax 3 | |
| UseLogin no | |
| MaxStartups 10:30:60 | |
| Banner /etc/issue.net | |
| # Allow client to pass locale environment variables | |
| #AcceptEnv LANG LC_* | |
| #Subsystem sftp /usr/lib/openssh/sftp-server | |
| # Set this to 'yes' to enable PAM authentication, account processing, | |
| # and session processing. If this is enabled, PAM authentication will | |
| # be allowed through the ChallengeResponseAuthentication and | |
| # PasswordAuthentication. Depending on your PAM configuration, | |
| # PAM authentication via ChallengeResponseAuthentication may bypass | |
| # the setting of "PermitRootLogin without-password". | |
| # If you just want the PAM account and session checks to run without | |
| # PAM authentication, then enable this but set PasswordAuthentication | |
| # and ChallengeResponseAuthentication to 'no'. | |
| UsePAM no | |
| # Specifies the ciphers allowed for protocol version 2. | |
| Ciphers [email protected],[email protected] | |
| # Specifies the available KEX (Key Exchange) algorithms. | |
| KexAlgorithms [email protected] | |
| # Specifies the available MAC (message authentication code) | |
| # algorithms. The algorithms that contain ``-etm'' calculate the | |
| # MAC after encryption (encrypt-then-mac). | |
| # These are considered safer and their use recommended. | |
| MACs [email protected],[email protected],[email protected] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment