shell-things/etc/ssh/sshd_config.d/basic-security.conf

# RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Includes public keys in logins
LogLevel VERBOSE

# No direct root login, keys might be ok, but audit trail
PermitRootLogin no
# Passwords are bad
PasswordAuthentication no
AuthenticationMethods publickey

# Doesn't exist in Fedora
#Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Use kernel sandbox mechanisms where possible in unprivileged processes
UsePrivilegeSeparation sandbox
etc/sshd_config.d: add basic-security.conf Ref: 88 2021-01-30 19:47:21 +01:00			`# RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious`
			`HostKey /etc/ssh/ssh_host_rsa_key`
			`HostKey /etc/ssh/ssh_host_ed25519_key`

			`# Includes public keys in logins`
			`LogLevel VERBOSE`

sshd_config.d: read Mozilla docs & adjust accordingly https://infosec.mozilla.org/guidelines/openssh 2021-01-30 20:18:41 +01:00			`# No direct root login, keys might be ok, but audit trail`
			`PermitRootLogin no`
etc/sshd_config.d: add basic-security.conf Ref: 88 2021-01-30 19:47:21 +01:00			`# Passwords are bad`
			`PasswordAuthentication no`
sshd_config.d: read Mozilla docs & adjust accordingly https://infosec.mozilla.org/guidelines/openssh 2021-01-30 20:18:41 +01:00			`AuthenticationMethods publickey`

			`# Doesn't exist in Fedora`
			`#Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO`

			`# Use kernel sandbox mechanisms where possible in unprivileged processes`
			`UsePrivilegeSeparation sandbox`