# OpenSSH server configuration file for IPFire
#
# The full documentation is available at: https://man.openbsd.org/sshd_config
#

# Only allow version 2 of SSH protocol
Protocol 2

# Listen on port 22 by default
Port 22

# Listen on every interface and IPv4 only
AddressFamily inet
ListenAddress 0.0.0.0

# Limit authentication timeout to 30 seconds
LoginGraceTime 30s

# Limit maximum instanctes to prevent DoS
MaxStartups 5

# Only allow safe crypto algorithms
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Only allow cryptographically safe SSH host keys (adjust paths if needed)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key

# Only allow login via public key by default
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

# Permit root login as there is no other user in IPFire 2.x
PermitRootLogin yes

# Ignore user ~/.ssh/known_hosts file
IgnoreUserKnownHosts yes

# Do not allow any kind of forwarding (provides only low security);
# some of them might need to be re-enabled if SSH server is a jump platform
AllowTcpForwarding no
AllowAgentForwarding no
PermitOpen none

# Send SSH-based keep alive messages to connected clients to avoid broken connections
ClientAliveInterval 10
ClientAliveCountMax 30

# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
# there is no need for this to be enabled as well
TCPKeepAlive no

# Add support for SFTP
Subsystem	sftp	/usr/lib/openssh/sftp-server

# EOF