Skip to content

Instantly share code, notes, and snippets.

@alainwolf

alainwolf/sshd_config

Created August 16, 2024 18:09
Show Gist options
  • Save alainwolf/641e20ef509776e97dbb699e9f2f5617 to your computer and use it in GitHub Desktop.
Save alainwolf/641e20ef509776e97dbb699e9f2f5617 to your computer and use it in GitHub Desktop.
Download ZIP
SSH Server Configuration for Jump Hosts
Raw
sshd_config
# ************************************************************************
# SSH Server Configuration for a router be used as SSH jump host
# OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023
# ************************************************************************
#
# Updated on Fri, 16. Aug 2024 19:37 by Alain Wolf
#
Include /etc/ssh/sshd_config.d/*.conf
# -------------------------------------
# Network and Protocol
# -------------------------------------
# On which TCP ports we listen for SSH client connections
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
# --------------------------------------------------
# Ciphers suite selection
# See https://sshaudit.com hardening guide
# --------------------------------------------------
# Host key algorithms allowed in order of preference
# See 'ssh -Q key' for the full list of supported host key algorithms.
HostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]
# KEX (Key Exchange) algorithms allowed in order of preference
# See 'ssh -Q kex' for the full list of supported key exchange algorithms..
KexAlgorithms [email protected],curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# Ciphers allowed in order of preference
# See 'ssh -Q cipher' for the full list of supported ciphers..
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
# MAC (message authentication code) algorithms allowed in order of preference
# See 'ssh -Q mac' for the full list of supported MACs.
MACs [email protected],[email protected],[email protected]
# -------------------------------------
# Server Authentication
# -------------------------------------
# Private host keys used by this SSH server
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# -------------------------------------
# Client and User Authentication
# -------------------------------------
# Root login is not allowed for auditing reasons.
# Regular user logins combined with "sudo" ensures a clear audit track.
PermitRootLogin no
# Only public-key based logins are allowed. Disables password based logins.
AuthenticationMethods publickey
# File that contains the public keys used for user authentication.
AuthorizedKeysFile .ssh/authorized_keys
# Don't allow challenge-response and interactive keyboard (password) authentcation
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
# Disable tunneled clear text passwords
PasswordAuthentication no
# Enable PAM authentication
# If enabled, make sure that 'PasswordAuthentication' and
# 'ChallengeResponseAuthentication' are both set to 'no'.
UsePAM yes
# Don't print /etc/motd when a user logs in
PrintMotd no
# Only users who are member of the following groups are allowed to login
AllowGroups sshlogin sshjump
# -------------------------------------
# Allowed Client Features
# -------------------------------------
# All SSH agent forwarding by clients
AllowAgentForwarding yes
# Whether X11 forwarding is permitted
X11Forwarding yes
# Allow client to pass locale environment variables
AcceptEnv LANG LANGUAGE LC_* PAPERSIZE
AcceptEnv TERM COLORTERM TERM_*
AcceptEnv WEZTERM_*
# Secure File Transfer Protocol (with file access logging)
Subsystem sftp /usr/lib/sftp-server
# Permit StreamLocal (Unix-domain socket) forwarding.
# For example, clients using SSH connection multiplexing
AllowStreamLocalForwarding yes
# Remove any existing Unix-domain socket file for local or remote port
# forwarding before creating a new one. The default is no.
StreamLocalBindUnlink yes
# --------------------------------------------------
# Restrictions for Client just junping through here
# --------------------------------------------------
Match Group sshjump
# Allow SSH agent forwarding
AllowAgentForwarding yes
# Allow StreamLocal (Unix-domain socket) forwarding
# Needed for SSH connections multiplexing from the client to the jump host
AllowStreamLocalForwarding yes
# TCP port forwarding is necessary for the SSH jump host functionality
AllowTcpForwarding yes
# Authorized keys file outside of the user's home directory and chroot
AuthorizedKeysFile /etc/ssh/authorized_keys/jumpclient_keys
# Don't allow file system access
ChrootDirectory /dev/null
# Don't allow ports forwarded back to the client, being accessible by other
# clients
# GatewayPorts no
# Don't allow ports forwarded back to the client at all
PermitListen none
# Destinations to which TCP port forwarding is permitted
# Only connections to our internal LAN are allowed
PermitOpen 192.168.0.*:22
PermitOpen 2001:DB8::*:22
# Don't allow clients to access any terminals
PermitTTY no
# Don't allow clients to create (VPN) tunnels
# PermitTunnel no
# Don't allow user-defined environment files on the jump host
# PermitUserEnvironment no
# Don't allow execution of user-defined startup files on the jump host.
PermitUserRC no
# Remove any existing Unix-domain socket file for local or remote port
# forwarding before creating a new one. The default is no.
StreamLocalBindUnlink yes
# Don't allow X11 forwarding
# X11Forwarding no
# -*- mode: ssh_config; indent-tabs-mode: nil; tab-width: 4; -*-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment