Skip to content

Instantly share code, notes, and snippets.

@atErik
Created August 16, 2019 04:53
Show Gist options
  • Save atErik/73e9f54bac54ef7fabbba2aaed57551e to your computer and use it in GitHub Desktop.
Save atErik/73e9f54bac54ef7fabbba2aaed57551e to your computer and use it in GitHub Desktop.
Server3-Debian10 / etc / ssh / sshd_config : SSH server's configuration file sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
#
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
#
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#
#
# Lines begins with the "#" symbol are comments/notes.
#
#
# in SRVR3 (Server-3) "srvr3.example.com" Server:
#
Port 5022
AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress SRVR3.IPv4.ADRS
#ListenAddress SRVR3:IPv6:ADRS1
#ListenAddress SRVR3:IPv6:ADRS2
#
# PermitTunnel : Specifies whether tun(4) device forwarding is allowed. The argument must be yes,
# point-to-point (layer 3), ethernet (layer 2), or no . Specifying yes permits both point-to-point and
# ethernet. The default is no . Independent of this setting, the permissions of the selected tun(4) device
# must allow access to the user.
#
Protocol 2
#
#ServerKeyBits 16384
#
# List of Private/Secret Keys : (the key with ".pub" at-end is public-key)
HostKey /etc/ssh/ssh_host_rsa_key_SRVR3
##HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key_SRVR3
#
# Ciphers and keying
#RekeyLimit default none
RekeyLimit 100M 1h
#
# Logging
SyslogFacility AUTH
LogLevel INFO
#
# Authentication:
#
KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
#KexAlgorithms diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,[email protected],curve25519-sha256
#KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
#
Ciphers [email protected],aes256-ctr
#Ciphers [email protected],aes256-ctr,[email protected]
#
MACs [email protected],hmac-sha2-512,[email protected],hmac-sha2-256
#
# Authentication Extra:
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa
#CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
HostKeyAlgorithms rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected]
#HostKeyAlgorithms rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected]
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected]
#HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected]
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected]
#PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected],ssh-ed25519,[email protected]
#
#LoginGraceTime 2m
# PermitRootLogin : Specifies whether root can log in using ssh(1).
# The argument must be yes, prohibit-password, forced-commands-only, or no.
# The default is prohibit-password . If this option is set to prohibit-password (or its deprecated alias,
# without-password), password and keyboard-interactive authentication are disabled for root . If this
# option is set to forced-commands-only, root login with public key authentication will be allowed, but
# only if the command option has been specified (which may be useful for taking remote backups even if
# root login is normally not allowed) . All other authentication methods are disabled for root . If this
# option is set to no, root is not allowed to log in.
#PermitRootLogin prohibit-password
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
MaxAuthTries 4
#MaxSessions 10
#
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#
# Add user's SSH-pub-keys in their $HOME/.ssh/authorized_keys file:
AuthorizedKeysFile %h/.ssh/authorized_keys
#
#AuthorizedPrincipalsFile none
#
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
#
# AuthenticationMethods : Specifies the authentication methods that must be successfully completed for a
# user to be granted access. This option must be followed by one or more lists of comma-separated
# authentication method names, or by the single string any to indicate the default behaviour of accepting
# any single authentication method. If the default is overridden, then successful authentication requires
# completion of every method in at least one of these lists.
# For example, "publickey,password publickey,keyboard-interactive" would require the user to complete
# public key authentication, followed by either password or keyboard interactive authentication. Only
# methods that are next in one or more lists are offered at each stage, so for this example it would not
# be possible to attempt password or keyboard-interactive authentication before public key.
# For keyboard interactive authentication it is also possible to restrict authentication to a specific
# device by appending a colon followed by the device identifier bsdauth or pam. depending on the server
# configuration.
# For example, "keyboard-interactive:bsdauth" would restrict keyboard interactive authentication to the
# bsdauth device.
# If the publickey method is listed more than once, sshd(8) verifies that keys that have been used
# successfully are not reused for subsequent authentications. For example, "publickey,publickey"
# requires successful authentication using two different public keys . Note that each authentication
# method listed should also be explicitly enabled in the configuration . The available authentication
# methods are: "gssapi-with-mic", "hostbased", "keyboard-interactive", "none" (used for access to
# password-less accounts when "PermitEmptyPasswords" is enabled), "password" and "publickey".
#
#
PubkeyAuthentication yes
#RSAAuthentication yes
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#RhostsRSAAuthentication no
#
# To disable tunneled clear text passwords, change both to no here!
# (after create ssh-key in clients and after adding client's pub-key into this server)
PasswordAuthentication yes
PermitEmptyPasswords no
#
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
#
# Kerberos options
KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#
# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#
# Set "UsePAM" to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# UsePAM : Enables the Pluggable Authentication Module interface . If set to yes this will enable
# PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM
# account and session module processing for all authentication types . Because PAM challenge-response
# authentication usually serves an equivalent role to password authentication, you should disable either
# PasswordAuthentication or ChallengeResponseAuthentication . If UsePAM is enabled, you will not be able
# to run sshd(8) as a non-root user. The default is no.
UsePAM yes
#
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#ClientAliveInterval 0
ClientAliveInterval 30
#ClientAliveCountMax 3
ClientAliveCountMax 1
#TCPKeepAlive yes
TCPKeepAlive yes
#PermitUserEnvironment no
#UsePrivilegeSeparation yes
Compression delayed
#UseDNS no
# UseDNS : Specifies whether sshd(8) should look up the remote host name, and to check that the resolved
# host name for the remote IP address maps back to the very same IP address . If this option is set to
# no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from
# and sshd_config Match Host directives.
UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
#
# no default banner path
Banner none
#
FingerprintHash SHA256
# MaxSessions : Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions
# permitted per network connection. Multiple sessions may be established by clients that support
# connection multiplexing.
# Setting MaxSessions to 1 will effectively disable session multiplexing, whereas setting it to 0 will
# prevent all shell, login and subsystem sessions while still permitting forwarding. The default is 10.
#
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
#
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#
#
# Match (keywords:User|Group|Host|LocalAddress|LocalPort|RDomain|Address|All) pattern
# Under a Match block only these keywords are allowed to override above global settings:
# AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers,
# AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile,
# AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner,
# ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, ForceCommand,
# GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, HostbasedAuthentication,
# HostbasedUsesNameFromPacketOnly, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel,
# MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen,
# PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedKeyTypes, PubkeyAuthentication,
# RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
# X11DisplayOffset, X11Forwarding and X11UseLocalHost.
#
#
# From Debian-1 computer
Match Address DEB1.PC.IPv4.ADRS
#ClientAliveInterval 0
ClientAliveInterval 30
#ClientAliveCountMax 3
ClientAliveCountMax 1
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]
HostbasedAuthentication yes
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]
PasswordAuthentication no
PermitRootLogin yes
MaxAuthTries 10
#
#
# From Debian-2 computer
Match Address DEB2.PC.IPv4.ADRS
#ClientAliveInterval 0
ClientAliveInterval 30
#ClientAliveCountMax 3
ClientAliveCountMax 1
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]
HostbasedAuthentication yes
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected]
PasswordAuthentication no
PermitRootLogin yes
MaxAuthTries 10
#
#
# For macOS clients/computers, keep "ssh-rsa" included:
Match Address AtErikLoc1.IPv4.ADRS,AtErikLoc2.IPv4.ADRS User root
#ClientAliveInterval 0
ClientAliveInterval 18
#ClientAliveCountMax 3
ClientAliveCountMax 2
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected]
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected]
HostbasedAuthentication yes
HostbasedAcceptedKeyTypes rsa-sha2-512,[email protected],rsa-sha2-256,[email protected],ssh-rsa,[email protected]
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected]
PasswordAuthentication no
PermitRootLogin yes
MaxAuthTries 10
#
#
Match Address AtErikLoc1.IPv4.ADRS,AtErikLoc2.IPv4.ADRS User erik
#ClientAliveInterval 0
ClientAliveInterval 18
#ClientAliveCountMax 3
ClientAliveCountMax 2
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
#PubkeyAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected]
HostbasedAuthentication no
HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected]
#HostbasedAcceptedKeyTypes rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],ssh-ed25519,[email protected]
PasswordAuthentication no
PermitRootLogin no
MaxAuthTries 10
#
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment