# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to # be more clear and if they are missed some day, just download # upstream config file or take it from any distribution. Port 22 AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: # The default requires explicit activation of protocol 1 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key ## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: # ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key # ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key # Uncomment one of the following depending on which OS ## Arch #Subsystem sftp /usr/lib/ssh/sftp-server ## Debian #Subsystem sftp /usr/lib/openssh/sftp-server # Nothing is Accepted for security reasons, e.g. shellshock worked with # remotely accepted environment variables. #AcceptEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION # Logging LogLevel VERBOSE # Authentication: PermitRootLogin No # The default is to check both .ssh/authorized_keys and # .ssh/authorized_keys2 but this is overridden so installations will only # check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys # Password based logins are disabled - only public key based logins are # allowed. AuthenticationMethods publickey # Disable tunneled clear text passwords! PasswordAuthentication no # Disable s/key passwords ChallengeResponseAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes PrintMotd no # pam does that UsePrivilegeSeparation sandbox # Default for new installations. Banner /etc/issue.net # If the client doesn't reply in "three" pings, connection is dead. # Defaults to 3 anyway, but I add it here for clearity and # in case it decides to change in the future. ClientAliveCountMax 3 # "ping" the client every minute. ClientAliveInterval 60