#-------------------------------------------------------------------------------
# sshd_config
# ===========
#
# Project Gentoo 4 Shuttle DS57Ux
# Scope Gentoo
# Copyright (C) 2022 by RaySoft, Zurich, Switzerland
# License GNU General Public License (GPL) 2.0
# https://www.gnu.org/licenses/gpl2.txt
#
#-------------------------------------------------------------------------------
# Network
# Specifies the port number that sshd listens on.
Port 22
# Specifies which address family should be used by sshd. Valid arguments are any,
# inet (use IPv4 only), or inet6 (use IPv6 only).
AddressFamily inet
# Specifies the protocol versions sshd supports. The possible values are
# 1 and 2. Multiple versions must be comma-separated.
Protocol 2
# Specifies a file containing a private host key used by SSH.
# - HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# - HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_key
# HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms
# must be comma-separated.
# The list of available key exchange algorithms may also be obtained using
# "ssh -Q 'kex'".
KexAlgorithms curve25519-sha256@libssh.org
# Specifies the ciphers allowed. Multiple ciphers must be comma-separated.
# The list of available ciphers may also be obtained using "ssh -Q 'cipher'".
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
# Specifies the available MAC (message authentication code) algorithms. The MAC
# algorithm is used for data integrity protection. Multiple algorithms must be
# comma-separated.
# The list of available MAC algorithms may also be obtained using "ssh -Q 'mac'".
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Specifies whether tun device forwarding is allowed. The argument must be yes,
# point-to-point (layer 3), ethernet (layer 2), or no.
PermitTunnel no
# Specifies whether ssh-agent forwarding is permitted.
AllowAgentForwarding no
# Specifies whether TCP forwarding is permitted. The available options are yes
# or all to allow TCP forwarding, no to prevent all TCP forwarding, local to
# allow local (from the perspective of ssh(1)) forwarding only or remote to
# allow remote forwarding only.
AllowTcpForwarding no
# Specifies whether remote hosts are allowed to connect to ports forwarded for
# the client.
GatewayPorts no
# Specifies whether the system should send TCP keepalive messages to the other
# side. If they are sent, death of the connection or crash of one of the machines
# will be properly noticed.
TCPKeepAlive yes
# Specifies whether sshd(8) should look up the remote host name, and to check
# that the resolved host name for the remote IP address maps back to the very
# same IP address.
UseDNS no
#-------------------------------------------------------------------------------
# Logging
# Gives the facility code that is used when logging messages from sshd.
SyslogFacility AUTHPRIV
#-------------------------------------------------------------------------------
# Authentication
# Specifies whether rhosts or /etc/hosts.equiv authentication together with
# successful public key client host authentication is allowed
# (host-based authentication).
HostbasedAuthentication no
# Specifies the maximum number of authentication attempts permitted per
# connection. Once the number of failures reaches half this value, additional
# failures are logged.
MaxAuthTries 3
# Specifies the maximum number of open shell, login or subsystem (e.g. sftp)
# sessions permitted per network connection. Multiple sessions may be established
# by clients that support connection multiplexing. Setting MaxSessions to 1 will
# effectively disable session multiplexing, whereas setting it to 0 will prevent
# all shell, login and subsystem sessions while still permitting forwarding.
MaxSessions 5
# The server disconnects after this time if the user has not successfully logged
# in. If the value is 0, there is no time limit.
LoginGraceTime 60
# Specifies whether root can log in using ssh). The argument must be yes,
# prohibit-password, without-password, forced-commands-only, or no.
PermitRootLogin yes
# Specifies whether sshd should check file modes and ownership of the user's
# files and home directory before accepting login.
StrictModes yes
# AuthenticationMethods
# Specifies the authentication methods that must be successfully completed for a
# user to be granted access. This option must be followed by one or more comma-
# separated lists of authentication method names.
AuthenticationMethods publickey password
# Specifies whether password authentication is allowed.
PasswordAuthentication yes
# When password authentication is allowed, it specifies whether the server
# allows login to accounts with empty password strings.
PermitEmptyPasswords no
# Specifies whether public key authentication is allowed.
PubkeyAuthentication yes
# Specifies whether challenge-response authentication is allowed.
ChallengeResponseAuthentication no
# Specifies the file that contains the public keys used for user authentication.
AuthorizedKeysFile .ssh/authorized_keys
#-------------------------------------------------------------------------------
# Enviroment
# Specifies what environment variables sent by the client will be copied into
# the session's environ.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
# Specifies whether X11 forwarding is permitted. The argument must be yes or no.
X11Forwarding no
# The contents of the specified file are sent to the remote user before
# authentication is allowed. If the argument is none then no banner is displayed.
Banner none
# Specifies whether sshd should print /etc/motd when a user logs in interactively.
PrintMotd yes
# Specifies whether sshd should print the date and time of the last user login
# when a user logs in interactively.
PrintLastLog yes
# Specifies whether sshd separates privileges by creating an unprivileged child
# process to deal with incoming network traffic. After successful authentication,
# another process will be created that has the privilege of the authenticated
# user. The goal of privilege separation is to prevent privilege escalation by
# containing any corruption within the unprivileged processes. The argument must
# be yes, no, or sandbox. If UsePrivilegeSeparation is set to sandbox then the
# pre-authentication unprivileged process is subject to additional restrictions.
UsePrivilegeSeparation sandbox
# Specifies whether compression is enabled after the user has authenticated
# successfully. The argument must be yes or no.
Compression no
# Configures an external subsystem (e.g. file transfer daemon). Arguments should
# be a subsystem name and a command (with optional arguments) to execute upon
# subsystem request.
# The command sftp-server implements the SFTP file transfer subsystem.
Subsystem sftp /usr/lib64/misc/sftp-server -f AUTHPRIV -l INFO