shell-things/etc/ssh/sshd_config

# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to
# be more clear and if they are missed some day, just download
# upstream config file or take it from any distribution.

Port 22

AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT:
# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key

# Uncomment one of the following depending on which OS
## Arch
#Subsystem   sftp    /usr/lib/ssh/sftp-server
## Debian
#Subsystem sftp /usr/lib/openssh/sftp-server

# Logging
LogLevel VERBOSE

# Authentication:
PermitRootLogin No

# The default is to check both .ssh/authorized_keys and
# .ssh/authorized_keys2 but this is overridden so installations will only
# check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

# Password based logins are disabled - only public key based logins are
# allowed.
AuthenticationMethods publickey

# Disable tunneled clear text passwords!
PasswordAuthentication no

# Disable s/key passwords
ChallengeResponseAuthentication no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

PrintMotd no # pam does that
UsePrivilegeSeparation sandbox      # Default for new installations.

Banner /etc/issue.net

# If the client doesn't reply in "three" pings, connection is dead.
# Defaults to 3 anyway, but I add it here for clearity and
# in case it decides to change in the future.
ClientAliveCountMax 3

# "ping" the client every minute.
ClientAliveInterval 60
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to`
			`# be more clear and if they are missed some day, just download`
			`# upstream config file or take it from any distribution.`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00
			`Port 22`
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`AddressFamily any`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00			`ListenAddress 0.0.0.0`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`ListenAddress ::`

			`# The default requires explicit activation of protocol 1`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00			`Protocol 2`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00
etc: import from gh-pages 2014-12-27 10:09:00 +01:00			`# HostKeys for protocol version 2`
			`HostKey /etc/ssh/ssh_host_ed25519_key`
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`HostKey /etc/ssh/ssh_host_rsa_key`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
			`## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT:`
			`# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key`
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`# Uncomment one of the following depending on which OS`
			`## Arch`
sshd_config: restore Client* I am sure I committed them already, but they have disappeared somewhere. Maybe I accidentally overwrote them. 2015-09-01 16:36:34 +02:00			`#Subsystem sftp /usr/lib/ssh/sftp-server`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`## Debian`
			`#Subsystem sftp /usr/lib/openssh/sftp-server`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
			`# Logging`
			`LogLevel VERBOSE`

			`# Authentication:`
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`PermitRootLogin No`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# The default is to check both .ssh/authorized_keys and`
			`# .ssh/authorized_keys2 but this is overridden so installations will only`
			`# check .ssh/authorized_keys`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`AuthorizedKeysFile .ssh/authorized_keys`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# Password based logins are disabled - only public key based logins are`
			`# allowed.`
			`AuthenticationMethods publickey`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# Disable tunneled clear text passwords!`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00			`PasswordAuthentication no`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00
sshd_config: cleaning up 2015-08-30 15:54:21 +02:00			`# Disable s/key passwords`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00			`ChallengeResponseAuthentication no`
etc: import from gh-pages 2014-12-27 10:09:00 +01:00
			`# Set this to 'yes' to enable PAM authentication, account processing,`
			`# and session processing. If this is enabled, PAM authentication will`
			`# be allowed through the ChallengeResponseAuthentication and`
			`# PasswordAuthentication. Depending on your PAM configuration,`
			`# PAM authentication via ChallengeResponseAuthentication may bypass`
			`# the setting of "PermitRootLogin without-password".`
			`# If you just want the PAM account and session checks to run without`
			`# PAM authentication, then enable this but set PasswordAuthentication`
			`# and ChallengeResponseAuthentication to 'no'.`
			`UsePAM yes`
update sshd_config from Arch OpenSSH 7.1p1-1 Note the sftp subsystem which differs between at least Debian and Arch. 2015-08-28 13:00:25 +02:00
			`PrintMotd no # pam does that`
			`UsePrivilegeSeparation sandbox # Default for new installations.`

etc/ssh/sshd_config: fix banner 2015-08-28 18:25:18 +02:00			`Banner /etc/issue.net`
sshd_config: restore Client* I am sure I committed them already, but they have disappeared somewhere. Maybe I accidentally overwrote them. 2015-09-01 16:36:34 +02:00
			`# If the client doesn't reply in "three" pings, connection is dead.`
			`# Defaults to 3 anyway, but I add it here for clearity and`
			`# in case it decides to change in the future.`
			`ClientAliveCountMax 3`

			`# "ping" the client every minute.`
			`ClientAliveInterval 60`