# SSHD config. See https://man.openbsd.org/sshd_config
# https://hackviser.com/tactics/hardening/ssh

# Protocol 2 is more secure
Protocol 2

# No root login or passwords
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey

# Allow tunneling, but not with option R (remote)
AllowTcpForwarding local
GatewayPorts yes

# override default of no subsystems
Subsystem	sftp	internal-sftp

# Only allow users that are listed
AllowUsers admin

# Only allow secure ciphers
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,mlkem768x25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256,hmac-sha2-512