1 # ultra-secure OpenSSH server configuration
3 # only allow version 2 of SSH protocol
6 # listen on port 22 by default
9 # listen on these interfaces and protocols
13 # limit authentication thresholds
17 # limit maximum instanctes to prevent DoS
20 # ensure proper logging
24 # enforce permission checks before a login is accepted
25 # (prevents damage because of hacked systems with world-writeable
26 # home directories or similar)
29 # only allow safe crypto algorithms (may break some _very_ outdated clients)
30 # see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
31 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
32 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
33 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
35 # enable data compression after successful login only
38 # only allow cryptographically safe SSH host keys (adjust paths if needed)
39 HostKey /etc/ssh/ssh_host_ed25519_key
40 HostKey /etc/ssh/ssh_host_ecdsa_key
41 HostKey /etc/ssh/ssh_host_rsa_key
43 # only allow login via public key by default
44 PubkeyAuthentication yes
45 PasswordAuthentication no
46 ChallengeResponseAuthentication no
47 PermitEmptyPasswords no
49 # permit root login as there is no other user in IPFire 2.x
52 # ignore user ~/.rhost* files
55 # ignore user known hosts file
56 IgnoreUserKnownHosts yes
58 # ignore user environments
59 PermitUserEnvironment no
61 # do not allow any kind of forwarding (provides only low security)
62 # some of them might need to be re-enabled if SSH server is a jump platform
65 AllowAgentForwarding no
70 # detect broken sessions by sending keep-alive messages to
71 # clients (both via TCP and SSH)
73 ClientAliveInterval 10
75 # close unresponsive SSH sessions which fail to answer keep-alive
78 # add support for SFTP
79 Subsystem sftp /usr/lib/openssh/sftp-server