Home Explore Help
Sign In
fphammerle
/
docker-borgbackup-sshd
mirror of https://github.com/fphammerle/docker-borgbackup-sshd
1
0
Fork 0
Files Issues 0 Wiki
Tree: 7a3bf6f903
Branches Tags
docker-borgback...
/
sshd_config

sshd_config 2.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 
  1. # sync with https://github.com/fphammerle/docker-gitolite/blob/master/sshd_config
    2. 

  2. 

  3. LogLevel INFO
    4. 

  4. #LogLevel DEBUG
    5. 

  5. 

  6. PidFile none
    7. 

  7. 

  8. Port 2200
    9. 

  9. Protocol 2
    10. 

  10. 

  11. HostKey /etc/ssh/host_keys/rsa
    12. 

  12. HostKey /etc/ssh/host_keys/ed25519
    13. 

  13. 

  14. # https://www.ssh-audit.com/hardening_guides.html#ubuntu_20_04_lts
    15. 

  15. KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
    16. 

  16. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    17. 

  17. MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
    18. 

  18. HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
    19. 

  19. 

  20. #UsePAM no
    21. 

  21. PermitRootLogin no
    22. 

  22. PubkeyAuthentication yes
    23. 

  23. # > RSA: The length of the modulus n shall be 2048 bits or more to meet the
    24. 

  24. # > minimum security-strength requirement of 112 bits [...]
    25. 

  25. # https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
    26. 

  26. RequiredRSASize 2048
    27. 

  27. PasswordAuthentication no
    28. 

  28. ChallengeResponseAuthentication no
    29. 

  29. StrictModes no
    30. 

  30. 

  31. AllowAgentForwarding no
    32. 

  32. AllowTcpForwarding no
    33. 

  33. GatewayPorts no
    34. 

  34. PermitTunnel no
    35. 

  35. X11Forwarding no
    36. 

  36. PermitUserEnvironment no
    37. 

  37. PrintMotd no
    38. 

  38. PermitTTY no
    39. 

  39. 

  40. # > In the event that the SSH connection [...] is disconnected or stuck
    41. 

  41. # > abnormally [...], it can take a long time for sshd to notice the client is
    42. 

  42. # > disconnected. [...] [Configure sshd] to send a keep alive to the client
    43. 

  43. # > every 10 seconds. If 30 consecutive keepalives are sent without a response
    44. 

  44. # > [...], the server’s sshd process will be terminated, causing the borg serve
    45. 

  45. # > process to terminate gracefully and release the lock on the repository.
    46. 

  46. # https://web.archive.org/web/20221101185048/https://borgbackup.readthedocs.io/en/stable/usage/serve.html#ssh-configuration
    47. 

  47. # > The TCP keepalive option enabled by TCPKeepAlive is spoofable.
    48. 

  48. ClientAliveInterval 10
    49. 

  49. ClientAliveCountMax 30
    50. 

  50. 

  51. # ForceCommand via command= in ~/.ssh/authorized_keys
    52.