25 lines
665 B
Plaintext
25 lines
665 B
Plaintext
# SSHD config. See https://man.openbsd.org/sshd_config
|
|
# https://hackviser.com/tactics/hardening/ssh
|
|
|
|
# Protocol 2 is more secure
|
|
Protocol 2
|
|
|
|
# No root login or passwords
|
|
PermitRootLogin no
|
|
PasswordAuthentication no
|
|
AuthenticationMethods publickey
|
|
|
|
# Allow tunneling, but not with option R (remote)
|
|
AllowTcpForwarding local
|
|
GatewayPorts yes
|
|
|
|
# override default of no subsystems
|
|
Subsystem sftp internal-sftp
|
|
|
|
# Only allow users that are listed
|
|
AllowUsers admin
|
|
|
|
# Only allow secure ciphers
|
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,mlkem768x25519-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
|
|
MACs hmac-sha2-256,hmac-sha2-512 |