31 lines
1.0 KiB
Plaintext
31 lines
1.0 KiB
Plaintext
#Official Turn Net Systems SSHD configuration
|
|
#Created by Charles Wyble
|
|
#Sourced from
|
|
#https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
#https://infosec.mozilla.org/guidelines/openssh
|
|
|
|
#Eliminated all the stock bits that had good/sane defaults, below values are set intentionally
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
PermitRootLogin without-password
|
|
AuthenticationMethods publickey
|
|
SyslogFacility AUTH
|
|
LogLevel VERBOSE
|
|
StrictModes yes
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PermitEmptyPasswords no
|
|
X11Forwarding no
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256
|
|
PrintMotd yes
|
|
Banner /etc/ssh/tsys-banner
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
#Review the following:
|
|
UsePAM yes
|
|
AllowAgentForwarding yes
|
|
|