]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - config/ssh/sshd_config
mc: Update to 4.8.24
[people/pmueller/ipfire-2.x.git] / config / ssh / sshd_config
CommitLineData
38485efa
PM
1# ultra-secure OpenSSH server configuration
2
3# only allow version 2 of SSH protocol
4Protocol 2
5
6# listen on port 22 by default
7Port 22
8
9# listen on these interfaces and protocols
10AddressFamily any
11ListenAddress 0.0.0.0
12
13# limit authentication thresholds
14LoginGraceTime 30s
0a5823db 15MaxAuthTries 6
38485efa
PM
16
17# limit maximum instanctes to prevent DoS
18MaxStartups 5
19
20# ensure proper logging
21SyslogFacility AUTH
22LogLevel INFO
23
24# enforce permission checks before a login is accepted
25# (prevents damage because of hacked systems with world-writeable
26# home directories or similar)
27StrictModes yes
28
29# only allow safe crypto algorithms (may break some _very_ outdated clients)
30# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
31KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
32Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
33MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
34
35# enable data compression after successful login only
36Compression delayed
37
38# only allow cryptographically safe SSH host keys (adjust paths if needed)
39HostKey /etc/ssh/ssh_host_ed25519_key
40HostKey /etc/ssh/ssh_host_ecdsa_key
41HostKey /etc/ssh/ssh_host_rsa_key
42
43# only allow login via public key by default
44PubkeyAuthentication yes
45PasswordAuthentication no
46ChallengeResponseAuthentication no
47PermitEmptyPasswords no
48
49# permit root login as there is no other user in IPFire 2.x
50PermitRootLogin yes
51
38485efa
PM
52# ignore user ~/.rhost* files
53IgnoreRhosts yes
54
55# ignore user known hosts file
56IgnoreUserKnownHosts yes
57
58# ignore user environments
59PermitUserEnvironment no
60
61# do not allow any kind of forwarding (provides only low security)
62# some of them might need to be re-enabled if SSH server is a jump platform
63X11Forwarding no
64AllowTcpForwarding no
65AllowAgentForwarding no
66PermitTunnel no
67GatewayPorts no
68PermitOpen none
69
70# detect broken sessions by sending keep-alive messages to
71# clients (both via TCP and SSH)
72TCPKeepAlive yes
73ClientAliveInterval 10
74
75# close unresponsive SSH sessions which fail to answer keep-alive
76ClientAliveCountMax 6
77
1223078c
PM
78# add support for SFTP
79Subsystem sftp /usr/lib/openssh/sftp-server
80
38485efa 81# EOF