73 lines
1.6 KiB
Plaintext
73 lines
1.6 KiB
Plaintext
# Hardened SSH configuration for Gentoo workstation
|
|
# Place in /etc/ssh/sshd_config.d/hardening.conf (or merge into main config)
|
|
|
|
# Network
|
|
Port 22
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
|
|
# Protocol
|
|
Protocol 2
|
|
|
|
# Host keys (prefer modern algorithms)
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
|
# Ciphers and keying
|
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
|
|
# Logging
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
|
|
# Authentication
|
|
LoginGraceTime 30
|
|
PermitRootLogin no
|
|
StrictModes yes
|
|
MaxAuthTries 3
|
|
MaxSessions 5
|
|
|
|
# Public key authentication
|
|
PubkeyAuthentication yes
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
|
|
# Password authentication (disable for key-only)
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# Challenge-response authentication
|
|
KbdInteractiveAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
|
|
# PAM
|
|
UsePAM yes
|
|
|
|
# Disable insecure features
|
|
PermitUserEnvironment no
|
|
HostbasedAuthentication no
|
|
IgnoreRhosts yes
|
|
X11Forwarding no
|
|
PrintMotd no
|
|
PrintLastLog yes
|
|
TCPKeepAlive yes
|
|
Compression no
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Subsystems
|
|
Subsystem sftp /usr/lib64/misc/sftp-server
|
|
|
|
# Connection settings
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
|
|
# Allow only specific users (uncomment and customize)
|
|
# AllowUsers alexander
|
|
|
|
# Deny specific users
|
|
# DenyUsers root nobody
|