# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to # be more clear and if they are missed some day, just download # upstream config file or take it from any distribution. # Partially based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH # where some comments are took. Some options look like I don't want to # change them to get updates when defaults change. # Allow the client to send needed environment variables. I don't like # setting wildcards and LC_ALL is disabled on purpouse. AcceptEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ # IPv4 & IPv6 AddressFamily any # Password based logins are disabled - only public key based logins are # allowed. AuthenticationMethods publickey # The default is to check both .ssh/authorized_keys and # .ssh/authorized_keys2 but this is overridden so installations will only # check .ssh/authorized_keys. AuthorizedKeysFile .ssh/authorized_keys # File to send to client before authentication. Banner /etc/issue.net # Disable s/key passwords. ChallengeResponseAuthentication no # If the client doesn't reply in three "pings", connection is dead. # Defaults to 3 anyway, but I add it here for clearity and # in case it decides to change in the future. ClientAliveCountMax 3 # "ping" the client every minute. ClientAliveInterval 60 # HostKeys for protocol version 2. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key ## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: # ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key # ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key # Listen on the following TCP ports, default 22. # /etc/ssh/sshd_config ...: ports must be specified before ListenAddress. Port 22 # Listen on all IPv4 & IPv6 addresses. ListenAddress 0.0.0.0 ListenAddress :: # Use the internal SFTP to avoid having to find the external one. VERBOSE # logs transactions that sftp-server performs on behalf of the client. # See also http://serverfault.com/a/660325 Subsystem sftp internal-sftp -l VERBOSE # If you wish to use the external one, uncomment the appropiate one # for your OS or find it somewhere. ## Arch #Subsystem sftp /usr/lib/ssh/sftp-server -l VERBOSE ## Debian #Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE ## Fedora (21) #Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE ## Gentoo (/usr/lib is a symlink) #Subsystem sftp /usr/lib/misc/sftp-server -l VERBOSE # VERBOSE logging, logs user's key fingerprint on login. Needed to have a # clear audit track of which key was using to log in. LogLevel VERBOSE # Disable tunneled clear text passwords! PasswordAuthentication no # Auditing reasons, difficult to track which process belongs to which root # user. PermitRootLogin no # Print /etc/motd (or /etc/profile or equivalent) on login. It's already # done by PAM, so no need for duplicate MOTDs. PrintMotd no # Avoid enabling insecure protocol 1. Protocol 2 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # Use kernel sandbox mechanisms where possible in unprivilegied processes. # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, # rlimit elsewhere. UsePrivilegeSeparation sandbox