Skip to content

Instantly share code, notes, and snippets.

@NiklasGollenstede

NiklasGollenstede/!sshd_config.md Secret

Last active December 5, 2021 01:34
Show Gist options
  • Save NiklasGollenstede/e63e060b2d4dd036e4c79b40e675119a to your computer and use it in GitHub Desktop.
Save NiklasGollenstede/e63e060b2d4dd036e4c79b40e675119a to your computer and use it in GitHub Desktop.
Download ZIP
Hardened and explicit SSHd config
Raw
!sshd_config.md

This configures a hardened and explicit SSHd base config, which can be opened up for individual use cases.

Please read the content for more information.

Raw
content.md

SSHd config

Last updated: 2020-12, I don't use this anymore.
Configures a hardened SSHd config, which explicitly forbids basically everything except key based login by default, and allows forwards only for the root user. Additional access should later be whitelisted on a per-user basis. If root login is not desired, remove /etc/ssh/sshd_config.d/user-root.conf.

NOTE: THIS REPLACES THE CURRENT SSHD_CONFIG!

Make sure you have key based ssh login set up and no password on the root or any other account (passwd -dl $user), then (as root) run:

# { (. <(cat << "#EOF" # copy from after the first #
#!/usr/bin/bash
set -ex

# this config expects support for »Include« and »/etc/ssh/sshd_config.d/« to exist

printf '%s' '
Match User root
    PermitRootLogin prohibit-password
    AllowAgentForwarding yes
    AllowTcpForwarding yes
    GatewayPorts clientspecified
    X11Forwarding yes
    PermitTTY yes
' >> /etc/ssh/sshd_config.d/user-root.conf


cat << '#EOC' > /etc/ssh/sshd_config
# See sshd_config(5) for more information.

# Do not edit this file, but add (user based) exceptions in /etc/ssh/sshd_config.d/
Match all # this should not do anything, but is necessary for the Include to work ...
Include /etc/ssh/sshd_config.d/*.conf
Match all # (reset matching)

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Logging
#SyslogFacility AUTH
#LogLevel INFO

AuthenticationMethods publickey
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitRootLogin no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM yes # required for motd (esp. for update notifier), but may enable password based logins (on accounts that have a password set)

AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PermitTTY no
PermitTunnel no
ChrootDirectory none
UseDNS no

PrintMotd no
PrintLastLog yes
#Compression delayed #TODO: would this still be up to the client?

AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    internal-sftp # use internal SFTP server (which is functionally equivalent to /usr/lib/openssh/sftp-server)
#EOC

sshd -t # test config
service ssh reload
#EOF
)); }

You may now want to test that starting a new shell through a new SSH connection woks, to make sure you are not locked out, while you still have the original shell to fix things.

For debugging: diff -y -W $(( $(tput cols) - 2 )) <(sshd -T | sort) <(sshd -T -C user=root | sort)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment