]>
Commit | Line | Data |
---|---|---|
57302eeb PM |
1 | # OpenSSH server configuration file for IPFire |
2 | # | |
3 | # The full documentation is available at: https://man.openbsd.org/sshd_config | |
4 | # | |
38485efa | 5 | |
57302eeb | 6 | # Only allow version 2 of SSH protocol |
38485efa PM |
7 | Protocol 2 |
8 | ||
57302eeb | 9 | # Listen on port 22 by default |
38485efa PM |
10 | Port 22 |
11 | ||
57302eeb PM |
12 | # Listen on every interface and IPv4 only |
13 | AddressFamily inet | |
38485efa PM |
14 | ListenAddress 0.0.0.0 |
15 | ||
57302eeb | 16 | # Limit authentication timeout to 30 seconds |
38485efa | 17 | LoginGraceTime 30s |
38485efa | 18 | |
57302eeb | 19 | # Limit maximum instanctes to prevent DoS |
38485efa PM |
20 | MaxStartups 5 |
21 | ||
57302eeb PM |
22 | # Only allow safe crypto algorithms (may break some _very_ outdated clients) |
23 | # See also: https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
38485efa PM |
24 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
25 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
26 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
27 | ||
57302eeb | 28 | # Only allow cryptographically safe SSH host keys (adjust paths if needed) |
38485efa PM |
29 | HostKey /etc/ssh/ssh_host_ed25519_key |
30 | HostKey /etc/ssh/ssh_host_ecdsa_key | |
31 | HostKey /etc/ssh/ssh_host_rsa_key | |
32 | ||
57302eeb | 33 | # Only allow login via public key by default |
38485efa PM |
34 | PubkeyAuthentication yes |
35 | PasswordAuthentication no | |
36 | ChallengeResponseAuthentication no | |
38485efa | 37 | |
57302eeb | 38 | # Permit root login as there is no other user in IPFire 2.x |
38485efa PM |
39 | PermitRootLogin yes |
40 | ||
57302eeb | 41 | # Ignore user ~/.ssh/known_hosts file |
38485efa PM |
42 | IgnoreUserKnownHosts yes |
43 | ||
57302eeb | 44 | # Do not allow any kind of forwarding (provides only low security); |
38485efa | 45 | # some of them might need to be re-enabled if SSH server is a jump platform |
38485efa PM |
46 | AllowTcpForwarding no |
47 | AllowAgentForwarding no | |
38485efa PM |
48 | PermitOpen none |
49 | ||
57302eeb | 50 | # Detect broken sessions by sending keep-alive messages to clients via SSH connection |
38485efa PM |
51 | ClientAliveInterval 10 |
52 | ||
57302eeb | 53 | # Close unresponsive SSH sessions which fail to answer keep-alive |
38485efa PM |
54 | ClientAliveCountMax 6 |
55 | ||
57302eeb | 56 | # Add support for SFTP |
1223078c PM |
57 | Subsystem sftp /usr/lib/openssh/sftp-server |
58 | ||
38485efa | 59 | # EOF |