💾 Archived View for gopher.zcrayfish.soy › 0 › irc › sshd_config captured on 2022-03-01 at 15:34:05.
-=-=-=-=-=-=-
#Try to use only ed25519 keys if possible! #HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Minimum accepted size of the DH parameter p. By default this is set to 1024 # to maintain compatibility with RFC4419, but should be set higher. # Upstream default is identical to setting this to 2048. # Using higher values will boot insecure/older clients including many brute forcers KexDHMin 8192 # Rekey frequently RekeyLimit default 1h # Log useful information LogLevel VERBOSE # Don't allow most IPs to login as root, or idle excessively on the login screen LoginGraceTime 1m PermitRootLogin no StrictModes yes # Only allow 4 connections per IP, and boot brute forcers quickly MaxAuthTries 1 MaxSessions 4 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes AllowGroups zachary AllowTcpForwarding yes AllowUsers zachary PrintMotd yes PrintLastLog yes #Don't use TCP keep alives, they are dumb as fuck, use SSH keep alives TCPKeepAlive no #Do not allow compression until login is complete Compression delayed #SSH keep alives are much more reliable than TCP keep alives #keep alives will be sent every 45 seconds #the client will be considered dead after failing to respond to #13-in-a-row keepalives ClientAliveInterval 45 ClientAliveCountMax 13 #Always lookup hostname of connecting clients UseDNS yes #More dealing with brute force assholes MaxStartups 3:80:15 PermitTunnel no #Use only the most secure key algorithms, key exchanges, ciphers and MACs HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 KexAlgorithms curve25519-sha256@libssh.org #Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com #MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com Match Address 1.2.3.4/32 PermitRootLogin yes AllowUsers zachary root AllowGroups zachary root Match All