msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
35d3b1e668d4add024f6937ff55c8596e59b2c6c74a788a748ee98c6d255b93f
CISS.debian.live.builder/config/includes.chroot/etc/ssh/sshd_config
Marc S. Weidner b2282d3475 V8.02.512.2025.05.30 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-30 00:28:39 +02:00

135 lines
5.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.512.2025.05.30
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Banner /etc/banner
DebianBanner no
VersionAddendum none
Compression no
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port MUST_BE_CHANGED
AllowUsers root
UseDNS no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
### whichever occurs first.
RekeyLimit 1G 1h
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
MaxStartups 08:64:16
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 4
ClientAliveInterval 300
ClientAliveCountMax 2
AuthorizedKeysFile %h/.ssh/authorized_keys
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
### A+ Rating 100/100
RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no
### Set this to 'yes' to enable PAM authentication, account processing,
### and session processing. If this is enabled, PAM authentication will
### be allowed through the ChallengeResponseAuthentication and
### PasswordAuthentication. Depending on your PAM configuration,
### PAM authentication via ChallengeResponseAuthentication may bypass
### the setting of "PermitRootLogin without-password".
### If you just want the PAM account and session checks to run without
### PAM authentication, then enable this but set PasswordAuthentication
### and ChallengeResponseAuthentication to 'no'.
UsePAM yes
### Allow client to pass locale environment variables
AcceptEnv LANG LC_*
### override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
PidFile /var/run/sshd.pid
PrintMotd no
PrintLastLog yes
TCPKeepAlive no
### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication no
### Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
# UsePrivilegeSeparation yes
### Kerberos options
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosGetAFSToken no
### GSSAPI options
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes
# GSSAPIStrictAcceptorCheck yes
# GSSAPIKeyExchange no
# AuthorizedPrincipalsFile none
# AuthorizedKeysCommand none
# AuthorizedKeysCommandUser nobody
# PermitTunnel no
# ChrootDirectory none
# X11DisplayOffset 10
# X11UseLocalhost yes
# PermitTTY yes
# PermitUserEnvironment no
# IgnoreUserKnownHosts no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
Reference in New Issue View Git Blame Copy Permalink