1 # OpenSSH server configuration file for IPFire
3 # The full documentation is available at: https://man.openbsd.org/sshd_config
6 # Only allow version 2 of SSH protocol
9 # Listen on port 22 by default
12 # Listen on every interface and IPv4 only
16 # Limit authentication timeout to 30 seconds
19 # Limit maximum instanctes to prevent DoS
22 # Only allow safe crypto algorithms (may break some _very_ outdated clients)
23 # See also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
24 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
25 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
26 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
28 # Only allow cryptographically safe SSH host keys (adjust paths if needed)
29 HostKey /etc/ssh/ssh_host_ed25519_key
30 HostKey /etc/ssh/ssh_host_ecdsa_key
31 HostKey /etc/ssh/ssh_host_rsa_key
33 # Only allow login via public key by default
34 PubkeyAuthentication yes
35 PasswordAuthentication no
36 ChallengeResponseAuthentication no
38 # Permit root login as there is no other user in IPFire 2.x
41 # Ignore user ~/.ssh/known_hosts file
42 IgnoreUserKnownHosts yes
44 # Do not allow any kind of forwarding (provides only low security);
45 # some of them might need to be re-enabled if SSH server is a jump platform
47 AllowAgentForwarding no
50 # Detect broken sessions by sending keep-alive messages to clients via SSH connection
51 ClientAliveInterval 10
53 # Close unresponsive SSH sessions which fail to answer keep-alive
56 # Add support for SFTP
57 Subsystem sftp /usr/lib/openssh/sftp-server