-
Notifications
You must be signed in to change notification settings - Fork 0
/
sshd_config
65 lines (51 loc) · 2.11 KB
/
sshd_config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# https://infosec.mozilla.org/guidelines/openssh
# https://manpages.ubuntu.com/manpages/jammy/en/man5/sshd_config.5.html
Include /etc/ssh/sshd_config.d/*.conf
Port 22
ListenAddress 0.0.0.0
# Prohibit regular SSH clients from allocating virtual terminals, forward X11, etc:
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
# required for jump host to work
AllowTcpForwarding yes
AllowStreamLocalForwarding no
AllowAgentForwarding yes
# Prohibit launching any remote commands:
ForceCommand /usr/sbin/nologin
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
#ModuliFile /etc/ssh/moduli
# RevokedKeys /etc/ssh/revoked_keys
# session settings
# setting it to 0 will prevent all shell, login and subsystem sessions while
# still permitting forwarding.
MaxSessions 0
MaxAuthTries 3
# start:rate:full
MaxStartups 10:30:30
LoginGraceTime 30
# Disable root ssh access
PermitRootLogin no
# Disable password login
PasswordAuthentication no
PermitEmptyPasswords no
PermitUserRC no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login.
# Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# ssh-bastion group only
AllowGroups ssh-bastion
# Restrict supported key exchange, cipher, and MAC algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# sntrup761x25519-sha512@openssh.com not supported in focal
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256