## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Don't edit this file, to overwrite any options, edit a file with a higher ## number that is read later by SSHD, such as ## '/etc/ssh/sshd_config.d/50_user.conf'. ## See also: ## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File ## Number of allowed login attempts per connection. MaxAuthTries 3 ## Require strong ciphers and algorithms. HostKey /etc/ssh/ssh_host_ed25519_key HostKeyAlgorithms ssh-ed25519 PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org ## To force the use of quantum-resistant key exchange algorithms, override the ## above with # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 ## Override with 'no' to fully deny root login, or leave this as ## 'prohibit-password' for denying root password login but still allowing ## other authentication methods such as public key. PermitRootLogin prohibit-password ## Public key authentication is transparent, non-interactive and more secure. PasswordAuthentication no ## Change to 'yes' to enable challenge-response passwords (beware issues with ## some PAM modules and threads) KbdInteractiveAuthentication no ## PAM can be used for account and session processing when using ## ChallengeResponseAuthentication or PasswordAuthentication. ## ## Depending on your PAM configuration, PAM authentication via ## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin ## without-password". ## ## If you want PAM account and session checks to run without PAM ## authentication, then enable this but set PasswordAuthentication and ## ChallengeResponseAuthentication to 'no'. ## ## The default upstream is 'no', Debian sets this to 'yes'. If using a locked ## account, read: ## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table ## We set it to 'yes' to work with libpam-tmpdir. ## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir ## Also folders such as '/run/user/1000' will exist thanks to PAM. ## The absence of that folder can lead to issues (such as with msgcollector). UsePAM yes ## Block dangerous forwarding. AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no ## Hide unnecessary login banners. PrintMotd no #Banner /etc/issue.net #Hiding Debian version from SSH banner (obscurity) DebianBanner no ## Some options are dangerous but may be required in certain circumstances. As ## an example, if forwarding is required, selectively allow it with a 'Match' ## block. Consider a new separate user named 'tunnel' which wants to forward ## its local port to be available on the server on port 443. Note that a ## tunnel user doesn't even require a TTY nor a shell, so don't forget to ## change the 'tunnel' shell to something that prevents login such as ## '/usr/sbin/nologin'. #Match User tunnel # AllowTcpForwarding yes # PermitListen localhost:443 # PermitTTY no