💾 Archived View for gopher.zcrayfish.soy › 0 › irc › sshd_config captured on 2023-07-22 at 16:51:54.

View Raw

More Information

⬅️ Previous capture (2022-03-01)

➡️ Next capture (2024-07-08)

-=-=-=-=-=-=-

#Try to use only ed25519 keys if possible!
#HostKey /etc/ssh/ssh_host_key
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Minimum accepted size of the DH parameter p. By default this is set to 1024
# to maintain compatibility with RFC4419, but should be set higher.
# Upstream default is identical to setting this to 2048.
# Using higher values will boot insecure/older clients including many brute forcers
KexDHMin 8192

# Rekey frequently
RekeyLimit default 1h

# Log useful information
LogLevel VERBOSE

# Don't allow most IPs to login as root, or idle excessively on the login screen
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
# Only allow 4 connections per IP, and boot brute forcers quickly
MaxAuthTries 1
MaxSessions 4

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

AllowGroups zachary
AllowTcpForwarding yes
AllowUsers zachary
PrintMotd yes
PrintLastLog yes
#Don't use TCP keep alives, they are dumb as fuck, use SSH keep alives
TCPKeepAlive no
#Do not allow compression until login is complete
Compression delayed
#SSH keep alives are much more reliable than TCP keep alives
#keep alives will be sent every 45 seconds
#the client will be considered dead after failing to respond to 
#13-in-a-row keepalives
ClientAliveInterval 45
ClientAliveCountMax 13
#Always lookup hostname of connecting clients
UseDNS yes
#More dealing with brute force assholes
MaxStartups 3:80:15
PermitTunnel no

#Use only the most secure key algorithms, key exchanges, ciphers and MACs
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
KexAlgorithms curve25519-sha256@libssh.org
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
#MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

Match Address 1.2.3.4/32
    PermitRootLogin yes
    AllowUsers zachary root
    AllowGroups zachary root 
Match All