sshd_config 1.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546
  1. # sync with https://github.com/fphammerle/docker-gitolite/blob/master/sshd_config
  2. LogLevel INFO
  3. #LogLevel DEBUG
  4. PidFile none
  5. Port 2200
  6. Protocol 2
  7. HostKey /etc/ssh/host_keys/rsa
  8. HostKey /etc/ssh/host_keys/ed25519
  9. # https://www.ssh-audit.com/hardening_guides.html#ubuntu_20_04_lts
  10. KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
  11. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  12. MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
  13. HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
  14. #UsePAM no
  15. #PermitRootLogin no
  16. AllowUsers dump
  17. AuthenticationMethods publickey
  18. PubkeyAuthentication yes
  19. # > RSA: The length of the modulus n shall be 2048 bits or more to meet the
  20. # > minimum security-strength requirement of 112 bits [...]
  21. # https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
  22. RequiredRSASize 2048
  23. PasswordAuthentication no
  24. ChallengeResponseAuthentication no
  25. StrictModes no
  26. DisableForwarding yes
  27. AllowAgentForwarding no
  28. AllowStreamLocalForwarding no
  29. AllowTcpForwarding no
  30. GatewayPorts no
  31. PermitTunnel no
  32. X11Forwarding no
  33. PermitUserEnvironment no
  34. PrintMotd no
  35. PermitTTY no
  36. # > grep: unrecognized option: z
  37. # .* matches until \0
  38. ForceCommand exec mysqldump $(grep -o '^MYSQLDUMP_ARGS=.*' /proc/1/environ | cut -d = -f 2-)