sshd_config 1.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142
  1. # sync with https://github.com/fphammerle/docker-gitolite/blob/master/sshd_config
  2. LogLevel INFO
  3. #LogLevel DEBUG
  4. PidFile none
  5. Port 2200
  6. Protocol 2
  7. HostKey /etc/ssh/host_keys/rsa
  8. HostKey /etc/ssh/host_keys/ed25519
  9. # https://www.ssh-audit.com/hardening_guides.html#ubuntu_20_04_lts
  10. KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
  11. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  12. MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
  13. HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
  14. #UsePAM no
  15. PermitRootLogin no
  16. PubkeyAuthentication yes
  17. # > RSA: The length of the modulus n shall be 2048 bits or more to meet the
  18. # > minimum security-strength requirement of 112 bits [...]
  19. # https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
  20. RequiredRSASize 2048
  21. PasswordAuthentication no
  22. ChallengeResponseAuthentication no
  23. StrictModes no
  24. AllowAgentForwarding no
  25. AllowTcpForwarding no
  26. GatewayPorts no
  27. PermitTunnel no
  28. X11Forwarding no
  29. PermitUserEnvironment no
  30. PrintMotd no
  31. PermitTTY no
  32. ChrootDirectory /data
  33. Subsystem sftp /usr/lib/openssh/sftp-server
  34. ForceCommand internal-sftp