Marc S. Weidner
d3f9bec31c
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m3s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m56s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
135 lines
5.5 KiB
Plaintext
135 lines
5.5 KiB
Plaintext
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
### Version Master V8.13.096.2025.10.09
|
|
|
|
### https://www.ssh-audit.com/
|
|
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
|
|
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
|
|
Protocol 2
|
|
|
|
Banner /etc/banner
|
|
DebianBanner no
|
|
VersionAddendum none
|
|
|
|
Compression no
|
|
LogLevel VERBOSE
|
|
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
Port MUST_BE_CHANGED
|
|
AllowUsers root
|
|
UseDNS no
|
|
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
|
|
RekeyLimit 1G 1h
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
TrustedUserCAKeys none
|
|
|
|
PubkeyAuthentication yes
|
|
PermitRootLogin prohibit-password
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
StrictModes yes
|
|
LoginGraceTime 2m
|
|
MaxAuthTries 3
|
|
MaxSessions 2
|
|
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
|
|
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
|
|
MaxStartups 08:64:16
|
|
### Restrict each individual source IP to only 4 unauthenticated connection slot
|
|
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
|
|
PerSourceMaxStartups 8
|
|
ClientAliveInterval 300
|
|
ClientAliveCountMax 2
|
|
|
|
AuthorizedKeysFile %h/.ssh/authorized_keys
|
|
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
GatewayPorts no
|
|
|
|
### A+ Rating 100/100
|
|
RequiredRSASize 4096
|
|
Ciphers aes256-gcm@openssh.com
|
|
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
|
|
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
|
|
HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
|
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
|
|
|
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
|
|
KbdInteractiveAuthentication no
|
|
|
|
### Set this to 'yes' to enable PAM authentication, account processing,
|
|
### and session processing. If this is enabled, PAM authentication will
|
|
### be allowed through the ChallengeResponseAuthentication and
|
|
### PasswordAuthentication. Depending on your PAM configuration,
|
|
### PAM authentication via ChallengeResponseAuthentication may bypass
|
|
### the setting of "PermitRootLogin without-password".
|
|
### If you just want the PAM account and session checks to run without
|
|
### PAM authentication, then enable this but set PasswordAuthentication
|
|
### and ChallengeResponseAuthentication to 'no'.
|
|
UsePAM yes
|
|
|
|
### Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
### override default of no subsystems
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
PidFile /var/run/sshd.pid
|
|
PrintMotd no
|
|
PrintLastLog yes
|
|
TCPKeepAlive no
|
|
|
|
### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
|
|
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
|
|
HostbasedAuthentication no
|
|
|
|
### Don't read the user's ~/.rhosts and ~/.shosts files
|
|
# IgnoreRhosts yes
|
|
|
|
# UsePrivilegeSeparation yes
|
|
|
|
### Kerberos options
|
|
# KerberosAuthentication no
|
|
# KerberosOrLocalPasswd yes
|
|
# KerberosTicketCleanup yes
|
|
# KerberosGetAFSToken no
|
|
|
|
### GSSAPI options
|
|
# GSSAPIAuthentication no
|
|
# GSSAPICleanupCredentials yes
|
|
# GSSAPIStrictAcceptorCheck yes
|
|
# GSSAPIKeyExchange no
|
|
|
|
# AuthorizedPrincipalsFile none
|
|
# AuthorizedKeysCommand none
|
|
# AuthorizedKeysCommandUser nobody
|
|
|
|
# PermitTunnel no
|
|
# ChrootDirectory none
|
|
# X11DisplayOffset 10
|
|
# X11UseLocalhost yes
|
|
# PermitTTY yes
|
|
# PermitUserEnvironment no
|
|
# IgnoreUserKnownHosts no
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|