# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

### Version Master V8.13.002.2025.08.11

### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

Include                      /etc/ssh/sshd_config.d/*.conf

Protocol                     2

Banner                       /etc/banner
DebianBanner                 no
VersionAddendum              none

Compression                  no
LogLevel                     VERBOSE

AddressFamily                any
ListenAddress                0.0.0.0
ListenAddress                ::
Port MUST_BE_CHANGED
AllowUsers                   root
UseDNS                       no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
RekeyLimit                   1G 1h

HostKey                      /etc/ssh/ssh_host_ed25519_key
HostKey                      /etc/ssh/ssh_host_rsa_key
TrustedUserCAKeys            none

PubkeyAuthentication         yes
PermitRootLogin              prohibit-password
PasswordAuthentication       no
PermitEmptyPasswords         no
StrictModes                  yes
LoginGraceTime               2m
MaxAuthTries                 3
MaxSessions                  2
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
MaxStartups                  08:64:16
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups         8
ClientAliveInterval          300
ClientAliveCountMax          2

AuthorizedKeysFile           %h/.ssh/authorized_keys

AllowAgentForwarding         no
AllowTcpForwarding           no
X11Forwarding                no
GatewayPorts                 no

### A+ Rating 100/100
RequiredRSASize              4096
Ciphers                      aes256-gcm@openssh.com
KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no

### Set this to 'yes' to enable PAM authentication, account processing,
### and session processing. If this is enabled, PAM authentication will
### be allowed through the ChallengeResponseAuthentication and
### PasswordAuthentication.  Depending on your PAM configuration,
### PAM authentication via ChallengeResponseAuthentication may bypass
### the setting of "PermitRootLogin without-password".
### If you just want the PAM account and session checks to run without
### PAM authentication, then enable this but set PasswordAuthentication
### and ChallengeResponseAuthentication to 'no'.
UsePAM                       yes

### Allow client to pass locale environment variables
AcceptEnv                    LANG LC_*

### override default of no subsystems
Subsystem                    sftp /usr/lib/openssh/sftp-server

PidFile                      /var/run/sshd.pid
PrintMotd                    no
PrintLastLog                 yes
TCPKeepAlive                 no

### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication      no

### Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts               yes

# UsePrivilegeSeparation     yes

### Kerberos options
# KerberosAuthentication     no
# KerberosOrLocalPasswd      yes
# KerberosTicketCleanup      yes
# KerberosGetAFSToken        no

### GSSAPI options
# GSSAPIAuthentication       no
# GSSAPICleanupCredentials   yes
# GSSAPIStrictAcceptorCheck  yes
# GSSAPIKeyExchange          no

# AuthorizedPrincipalsFile   none
# AuthorizedKeysCommand      none
# AuthorizedKeysCommandUser  nobody

# PermitTunnel               no
# ChrootDirectory            none
# X11DisplayOffset           10
# X11UseLocalhost            yes
# PermitTTY                  yes
# PermitUserEnvironment      no
# IgnoreUserKnownHosts       no

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf