diff --git a/supported-files/sshd_config b/supported-files/sshd_config index 4fc397a..6576166 100644 --- a/supported-files/sshd_config +++ b/supported-files/sshd_config @@ -8,10 +8,22 @@ # What ports, IPs and protocols we listen for Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -#ListenAddress 176.9.117.77 +# Specifies the local addresses sshd(8) should listen on. The following forms may be used: +# +# ListenAddress host|IPv4_addr|IPv6_addr +# ListenAddress host|IPv4_addr:port +# ListenAddress [host|IPv6_addr]:port +# +# If port is not specified, sshd will listen on the address and all Port options specified. The default +# is to listen on all local addresses. Multiple ListenAddress options are permitted. +# +# ListenAddress :: +# ListenAddress 0.0.0.0 +# ListenAddress 159.69.72.24 +# ListenAddress 2a01:4f8:231:171f::2 +# +ListenAddress :: +ListenAddress 0.0.0.0 # Specifies the protocol versions sshd(8) supports. # The possible values are ‘1’ , `2' and ‘1,2’. @@ -28,6 +40,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key # Note: # Deprecated option KeyRegenerationInterval # Deprecated option ServerKeyBits +# #KeyRegenerationInterval 3600 #ServerKeyBits 768 @@ -42,7 +55,7 @@ MaxStartups 10:30:100 # Specifies the maximum number of authentication attempts permitted per # connection. # The default is 6. -MaxAuthTries 3 +MaxAuthTries 6 # Specifies the maximum number of open sessions permitted per network # connection. @@ -57,7 +70,13 @@ MaxSessions 10 # Specifies whether sshd(8) separates privileges by creating an unprivileged # child process to deal with incoming network traffic. # The default is "yes" (for security). -UsePrivilegeSeparation yes +# +# Note: (Release 7.5) +# Deprecated option UsePrivilegeSeparation +# Privilege separation has been on by default for almost 15 years +# sandboxing has been on by default for almost the last five +# +#UsePrivilegeSeparation yes # The server disconnects after this time if the user has not # successfully logged in. @@ -66,9 +85,10 @@ LoginGraceTime 120 # Specifies whether root can log in using ssh(1). # The default is "yes". -#PermitRootLogin yes +# Possible values: yes, no, prohibit-password (or teh older one: without-password) +PermitRootLogin yes #PermitRootLogin without-password -PermitRootLogin no +#PermitRootLogin no # Specifies whether sshd(8) should check file modes and ownership of the # user's files and home directory before accepting login. This is normally @@ -104,6 +124,7 @@ PubkeyAuthentication yes # whitespace. # The default is “.ssh/authorized_keys .ssh/authorized_keys2”. #AuthorizedKeysFile %h/.ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 # Specifies whether password authentication is allowed. # Change to no to disable tunnelled clear text passwords @@ -128,6 +149,7 @@ IgnoreRhosts yes # Deprecated option RhostsRSAAuthentication # #RhostsRSAAuthentication no + # similar for protocol version 2 HostbasedAuthentication no @@ -142,7 +164,7 @@ HostbasedAuthentication no # The allow/deny directives are processed in the following order: DenyUsers, # AllowUsers, DenyGroups, and finally AllowGroups. # By default, login is allowed for all users. -#AllowUsers chris cityslang sysadm +#AllowUsers back chris sysadm cityslang christoph # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -165,6 +187,43 @@ UsePAM yes #UseLogin no +#----------------------------- +# Cryptography +#----------------------------- + +# Specifies the available KEX (Key Exchange) algorithms. +# The default is: +## curve25519-sha256@libssh.org, +## ecdh-sha2-nistp256, +## ecdh-sha2-nistp384, +## ecdh-sha2-nistp521, +## diffie-hellman-group-exchange-sha256, +## diffie-hellman-group14-sha1. +#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + +# Specifies the ciphers allowed for protocol version 2. +# The default is: +## aes128-ctr, +## aes192-ctr, +## aes256-ctr, +## aes128-gcm@openssh.com, +## aes256-gcm@openssh.com, +## chacha20-poly1305@openssh.com. +#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr + +# Specifies the available MAC (message authentication code) algorithms. +# The default is: +## umac-64-etm@openssh.com, +## umac-128-etm@openssh.com, +## hmac-sha2-256-etm@openssh.com, +## hmac-sha2-512-etm@openssh.com, +## umac-64@openssh.com, +## umac-128@openssh.com, +## hmac-sha2-256, +## hmac-sha2-512. +#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + + #----------------------------- # Logging #-----------------------------