################################################################################ ## /etc/ssh/sshd_config ## ## OpenSSH daemon system-wide configuration file stating only default values. ## Last updated: see file modification date. ## ## Uncommented options override the default value. ## Unless noted otherwise, for each keyword, the *first* obtained value will be ## used in a first-come-first-served fashion. ## Keywords are case-*in*sensitive, and arguments are case-*sensitive*. ## ## Sources: ## - https://man.openbsd.org/sshd_config ################################################################################ # AcceptEnv AddressFamily any AllowAgentForwarding yes # AllowGroups AllowStreamLocalForwarding yes AllowTcpForwarding yes # AllowUsers AuthenticationMethods any # AuthorizedKeysCommand # AuthorizedKeysCommandUser AuthorizedKeysFile ".ssh/authorized_keys .ssh/authorized_keys2" # AuthorizedPrincipalsCommand # AuthorizedPrincipalsCommandUser # AuthorizedPrincipalsFile # Banner CASignatureAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 # ChannelTimeout ChrootDirectory none Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com ClientAliveCountMax 3 ClientAliveInterval 0 Compression yes # DenyGroups # DenyUsers DisableForwarding no ExposeAuthInfo no FingerprintHash sha256 ForceCommand none GatewayPorts no GSSAPIAuthentication no GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 HostbasedAuthentication no HostbasedUsesNameFromPacketOnly no # HostCertificate HostKey "/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key" # HostKeyAgent HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 IgnoreRhosts yes IgnoreUserKnownHosts no # Include IPQoS "af21 cs1" KbdInteractiveAuthentication yes KerberosAuthentication no KerberosGetAFSToken no KerberosOrLocalPasswd yes KerberosTicketCleanup yes KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 ListenAddress 0.0.0.0 LoginGraceTime 120 LogLevel INFO # LogVerbose MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 MaxAuthTries 6 MaxSessions 10 MaxStartups 10:30:100 ModuliFile /etc/moduli PasswordAuthentication yes PermitEmptyPasswords no PermitListen any PermitOpen any PermitRootLogin prohibit-password PermitTTY yes PermitTunnel no PermitUserEnvironment no PermitUserRC yes PerSourceMaxStartups none PerSourceNetBlockSize 32:128 PerSourcePenalties "crash:90s authfail:5s noauth:1s grace-exceeded:20s max:10m min:15s max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive" # PerSourcePenaltyExemptList PidFile /var/run/sshd.pid Port 22 PrintLastLog yes PrintMotd yes PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 PubkeyAuthOptions none PubkeyAuthentication yes RekeyLimit "default none" RequiredRSASize 1024 RevokedKeys none # RDomain # SecurityKeyProvider # SetEnv StreamLocalBindMask 0177 StreamLocalBindUnlink no StrictModes yes # Subsystem SyslogFacility AUTH TCPKeepAlive no TrustedUserCAKeys none UnusedConnectionTimeout none UseDNS no VersionAddendum none X11DisplayOffset 10 X11Forwarding no X11UseLocalhost yes XAuthLocation /usr/X11R6/bin/xauth