# Hardened SSH configuration for Gentoo workstation
# Place in /etc/ssh/sshd_config.d/hardening.conf (or merge into main config)

# Network
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Protocol
Protocol 2

# Host keys (prefer modern algorithms)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Ciphers and keying
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 5

# Public key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Password authentication (disable for key-only)
PasswordAuthentication no
PermitEmptyPasswords no

# Challenge-response authentication
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

# PAM
UsePAM yes

# Disable insecure features
PermitUserEnvironment no
HostbasedAuthentication no
IgnoreRhosts yes
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Compression no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Subsystems
Subsystem sftp /usr/lib64/misc/sftp-server

# Connection settings
ClientAliveInterval 300
ClientAliveCountMax 2

# Allow only specific users (uncomment and customize)
# AllowUsers alexander

# Deny specific users
# DenyUsers root nobody