mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 17:06:45 -05:00
78 lines
3.2 KiB
Text
78 lines
3.2 KiB
Text
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Don't edit this file, to overwrite any options, edit a file with a higher
|
|
## number that is read later by SSHD, such as
|
|
## '/etc/ssh/sshd_config.d/50_user.conf'.
|
|
|
|
## See also:
|
|
## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
|
|
|
|
## Number of allowed login attempts per connection.
|
|
MaxAuthTries 3
|
|
|
|
## Require strong ciphers and algorithms.
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKeyAlgorithms ssh-ed25519
|
|
PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
|
|
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
|
|
## To force the use of quantum-resistant key exchange algorithms, override the
|
|
## above with
|
|
# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
|
|
|
|
## Override with 'no' to fully deny root login, or leave this as
|
|
## 'prohibit-password' for denying root password login but still allowing
|
|
## other authentication methods such as public key.
|
|
PermitRootLogin prohibit-password
|
|
|
|
## Public key authentication is transparent, non-interactive and more secure.
|
|
PasswordAuthentication no
|
|
|
|
## Change to 'yes' to enable challenge-response passwords (beware issues with
|
|
## some PAM modules and threads)
|
|
KbdInteractiveAuthentication no
|
|
|
|
## PAM can be used for account and session processing when using
|
|
## ChallengeResponseAuthentication or PasswordAuthentication.
|
|
##
|
|
## Depending on your PAM configuration, PAM authentication via
|
|
## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
|
|
## without-password".
|
|
##
|
|
## If you want PAM account and session checks to run without PAM
|
|
## authentication, then enable this but set PasswordAuthentication and
|
|
## ChallengeResponseAuthentication to 'no'.
|
|
##
|
|
## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
|
|
## account, read:
|
|
## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
|
|
## We set it to 'yes' to work with libpam-tmpdir.
|
|
## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
|
|
## Also folders such as '/run/user/1000' will exist thanks to PAM.
|
|
## The absence of that folder can lead to issues (such as with msgcollector).
|
|
UsePAM yes
|
|
|
|
## Block dangerous forwarding.
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
|
|
## Hide unnecessary login banners.
|
|
PrintMotd no
|
|
#Banner /etc/issue.net
|
|
#Hiding Debian version from SSH banner (obscurity)
|
|
DebianBanner no
|
|
|
|
## Some options are dangerous but may be required in certain circumstances. As
|
|
## an example, if forwarding is required, selectively allow it with a 'Match'
|
|
## block. Consider a new separate user named 'tunnel' which wants to forward
|
|
## its local port to be available on the server on port 443. Note that a
|
|
## tunnel user doesn't even require a TTY nor a shell, so don't forget to
|
|
## change the 'tunnel' shell to something that prevents login such as
|
|
## '/usr/sbin/nologin'.
|
|
#Match User tunnel
|
|
# AllowTcpForwarding yes
|
|
# PermitListen localhost:443
|
|
# PermitTTY no
|