From a7c643bb7adfa28e9ae916b9d6f282a078cd838e Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sat, 30 Jan 2021 20:47:21 +0200
Subject: [PATCH] etc/sshd_config.d: add basic-security.conf

Ref: 88
---
 etc/ssh/sshd_config.d/README.md           |  3 +++
 etc/ssh/sshd_config.d/basic-security.conf | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 etc/ssh/sshd_config.d/README.md
 create mode 100644 etc/ssh/sshd_config.d/basic-security.conf

diff --git a/etc/ssh/sshd_config.d/README.md b/etc/ssh/sshd_config.d/README.md
new file mode 100644
index 00000000..91bf348d
--- /dev/null
+++ b/etc/ssh/sshd_config.d/README.md
@@ -0,0 +1,3 @@
+sshd_config should include something like
+
+Include /etc/ssh/sshd_config.d/*.conf
diff --git a/etc/ssh/sshd_config.d/basic-security.conf b/etc/ssh/sshd_config.d/basic-security.conf
new file mode 100644
index 00000000..a586294c
--- /dev/null
+++ b/etc/ssh/sshd_config.d/basic-security.conf
@@ -0,0 +1,13 @@
+# RSA and Ed25519 are fine, but DSA is broken and ecdsa is suspicious
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Includes public keys in logins
+LogLevel VERBOSE
+
+# root login should probably be denied entirely, but key is better than
+# password
+PermitRootLogin prohibit-password
+
+# Passwords are bad
+PasswordAuthentication no