chore(ssh): improve configuration notes and examples

examples/ssh/sshd_config

@@ -1,17 +1,30 @@
 ################################################################################
 ## /etc/ssh/sshd_config
 ##
-## SSHD server system-wide configuration file.
+## OpenSSH daemon system-wide configuration file.
+## Last updated: see file modification date.
 ##
-## This sshd was compiled with PATH='/usr/bin:/bin:/usr/sbin:/sbin'.
-## The strategy used for options in the default sshd_config shipped with OpenSSH
-## is to specify options with their default value where possible, but leave them
-## commented.  Uncommented options override the default value.
+## Uncommented options override the default value.
+## Unless noted otherwise, for each keyword, the *first* obtained value will be
+## used in a first-come-first-served fashion.
+## Keywords are case-*in*sensitive, and arguments are case-*sensitive*.
 ##
 ## Sources:
 ## - https://man.openbsd.org/sshd_config
 ################################################################################
 
+# To modify the system-wide sshd configuration, create a "*.conf" file under
+# "/etc/ssh/sshd_config.d/" which will be automatically included below.
+# Don't edit this configuration file itself if possible to avoid update
+# problems.
+Include /etc/ssh/sshd_config.d/*.conf
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+Include /usr/etc/ssh/sshd_config.d/*.conf
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -40,7 +53,7 @@ PermitRootLogin yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
 
 #AuthorizedPrincipalsFile none
 
@@ -60,7 +73,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+#KbdInteractiveAuthentication yes
 
 # Kerberos options
 #KerberosAuthentication no
@@ -76,13 +89,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
@@ -92,8 +105,7 @@ X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
+PrintMotd no
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
@@ -110,7 +122,7 @@ X11Forwarding yes
 #Banner none
 
 # override default of no subsystems
-Subsystem	sftp	/usr/lib/ssh/sftp-server
+Subsystem       sftp    /usr/lib/ssh/sftp-server
 
 # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
@@ -119,7 +131,7 @@ AcceptEnv LC_IDENTIFICATION LC_ALL
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

examples/ssh/sshd_config.defaults

@@ -0,0 +1,113 @@
+################################################################################
+## /etc/ssh/sshd_config
+##
+## OpenSSH daemon system-wide configuration file stating only default values.
+## Last updated: see file modification date.
+##
+## Uncommented options override the default value.
+## Unless noted otherwise, for each keyword, the *first* obtained value will be
+## used in a first-come-first-served fashion.
+## Keywords are case-*in*sensitive, and arguments are case-*sensitive*.
+##
+## Sources:
+## - https://man.openbsd.org/sshd_config
+################################################################################
+
+# AcceptEnv <none>
+AddressFamily any
+AllowAgentForwarding yes
+# AllowGroups <none>
+AllowStreamLocalForwarding yes
+AllowTcpForwarding yes
+# AllowUsers <none>
+AuthenticationMethods any
+# AuthorizedKeysCommand <none>
+# AuthorizedKeysCommandUser <none>
+AuthorizedKeysFile ".ssh/authorized_keys .ssh/authorized_keys2"
+# AuthorizedPrincipalsCommand <none>
+# AuthorizedPrincipalsCommandUser <none>
+# AuthorizedPrincipalsFile <none>
+# Banner <none>
+CASignatureAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+# ChannelTimeout <none>
+ChrootDirectory none
+Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+ClientAliveCountMax 3
+ClientAliveInterval 0
+Compression yes
+# DenyGroups <none>
+# DenyUsers <none>
+DisableForwarding no
+ExposeAuthInfo no
+FingerprintHash sha256
+ForceCommand none
+GatewayPorts no
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
+GSSAPIStrictAcceptorCheck yes
+HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+HostbasedAuthentication no
+HostbasedUsesNameFromPacketOnly no
+# HostCertificate <none>
+HostKey "/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key"
+# HostKeyAgent <none>
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+IgnoreRhosts yes
+IgnoreUserKnownHosts no
+# Include <none>
+IPQoS "af21 cs1"
+KbdInteractiveAuthentication yes
+KerberosAuthentication no
+KerberosGetAFSToken no
+KerberosOrLocalPasswd yes
+KerberosTicketCleanup yes
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ListenAddress 0.0.0.0
+LoginGraceTime 120
+LogLevel INFO
+# LogVerbose <none>
+MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
+MaxAuthTries 6
+MaxSessions 10
+MaxStartups 10:30:100
+ModuliFile /etc/moduli
+PasswordAuthentication yes
+PermitEmptyPasswords no
+PermitListen any
+PermitOpen any
+PermitRootLogin prohibit-password
+PermitTTY yes
+PermitTunnel no
+PermitUserEnvironment no
+PermitUserRC yes
+PerSourceMaxStartups none
+PerSourceNetBlockSize 32:128
+PerSourcePenalties "crash:90s authfail:5s noauth:1s grace-exceeded:20s max:10m min:15s max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive"
+# PerSourcePenaltyExemptList <none>
+PidFile /var/run/sshd.pid
+Port 22
+PrintLastLog yes
+PrintMotd yes
+PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+PubkeyAuthOptions none
+PubkeyAuthentication yes
+RekeyLimit "default none"
+RequiredRSASize 1024
+RevokedKeys none
+# RDomain <none>
+# SecurityKeyProvider <none>
+# SetEnv <none>
+StreamLocalBindMask 0177
+StreamLocalBindUnlink no
+StrictModes yes
+# Subsystem <none>
+SyslogFacility AUTH
+TCPKeepAlive no
+TrustedUserCAKeys none
+UnusedConnectionTimeout none
+UseDNS no
+VersionAddendum none
+X11DisplayOffset 10
+X11Forwarding no
+X11UseLocalhost yes
+XAuthLocation /usr/X11R6/bin/xauth