]>
Commit | Line | Data |
---|---|---|
57302eeb PM |
1 | # OpenSSH server configuration file for IPFire |
2 | # | |
3 | # The full documentation is available at: https://man.openbsd.org/sshd_config | |
4 | # | |
38485efa | 5 | |
57302eeb | 6 | # Only allow version 2 of SSH protocol |
38485efa PM |
7 | Protocol 2 |
8 | ||
57302eeb | 9 | # Listen on port 22 by default |
38485efa PM |
10 | Port 22 |
11 | ||
57302eeb PM |
12 | # Listen on every interface and IPv4 only |
13 | AddressFamily inet | |
38485efa PM |
14 | ListenAddress 0.0.0.0 |
15 | ||
57302eeb | 16 | # Limit authentication timeout to 30 seconds |
38485efa | 17 | LoginGraceTime 30s |
38485efa | 18 | |
57302eeb | 19 | # Limit maximum instanctes to prevent DoS |
38485efa PM |
20 | MaxStartups 5 |
21 | ||
018f80c6 PM |
22 | # Only allow safe crypto algorithms |
23 | KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
38485efa PM |
24 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
25 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
26 | ||
57302eeb | 27 | # Only allow cryptographically safe SSH host keys (adjust paths if needed) |
38485efa PM |
28 | HostKey /etc/ssh/ssh_host_ed25519_key |
29 | HostKey /etc/ssh/ssh_host_ecdsa_key | |
30 | HostKey /etc/ssh/ssh_host_rsa_key | |
31 | ||
57302eeb | 32 | # Only allow login via public key by default |
38485efa PM |
33 | PubkeyAuthentication yes |
34 | PasswordAuthentication no | |
35 | ChallengeResponseAuthentication no | |
38485efa | 36 | |
57302eeb | 37 | # Permit root login as there is no other user in IPFire 2.x |
38485efa PM |
38 | PermitRootLogin yes |
39 | ||
57302eeb | 40 | # Ignore user ~/.ssh/known_hosts file |
38485efa PM |
41 | IgnoreUserKnownHosts yes |
42 | ||
57302eeb | 43 | # Do not allow any kind of forwarding (provides only low security); |
38485efa | 44 | # some of them might need to be re-enabled if SSH server is a jump platform |
38485efa PM |
45 | AllowTcpForwarding no |
46 | AllowAgentForwarding no | |
38485efa PM |
47 | PermitOpen none |
48 | ||
7a981d94 | 49 | # Send SSH-based keep alive messages to connected clients to avoid broken connections |
38485efa | 50 | ClientAliveInterval 10 |
7a981d94 | 51 | ClientAliveCountMax 30 |
38485efa | 52 | |
7a981d94 PM |
53 | # Since TCP keep alive messages can be spoofed and we have the SSH-based already, |
54 | # there is no need for this to be enabled as well | |
55 | TCPKeepAlive no | |
38485efa | 56 | |
57302eeb | 57 | # Add support for SFTP |
1223078c PM |
58 | Subsystem sftp /usr/lib/openssh/sftp-server |
59 | ||
38485efa | 60 | # EOF |