# SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. # SPDX-PackageName: CISS.2025.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu Include /etc/ssh/sshd_config.d/*.conf Protocol 2 Banner /etc/banner DebianBanner no VersionAddendum none Compression no LogLevel VERBOSE AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: Port MUST_BE_CHANGED AllowUsers root UseDNS no RekeyLimit 1G 1h HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key PubkeyAuthentication yes PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no StrictModes yes LoginGraceTime 2m MaxAuthTries 3 MaxSessions 2 MaxStartups 10:30:60 ClientAliveInterval 300 ClientAliveCountMax 2 AuthorizedKeysFile %h/.ssh/authorized_keys AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no GatewayPorts no # ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig Ciphers aes256-gcm@openssh.com KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp384,ssh-ed25519,sk-ssh-ed25519@openssh.com # Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads) KbdInteractiveAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server PidFile /var/run/sshd.pid PrintMotd no PrintLastLog yes TCPKeepAlive no # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts! # Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication! HostbasedAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files # IgnoreRhosts yes # UsePrivilegeSeparation yes # Kerberos options # KerberosAuthentication no # KerberosOrLocalPasswd yes # KerberosTicketCleanup yes # KerberosGetAFSToken no # GSSAPI options # GSSAPIAuthentication no # GSSAPICleanupCredentials yes # GSSAPIStrictAcceptorCheck yes # GSSAPIKeyExchange no # AuthorizedPrincipalsFile none # AuthorizedKeysCommand none # AuthorizedKeysCommandUser nobody # PermitTunnel no # ChrootDirectory none # X11DisplayOffset 10 # X11UseLocalhost yes # PermitTTY yes # PermitUserEnvironment no # IgnoreUserKnownHosts no # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh