44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
---
|
|
# SSH server configuration
|
|
ssh_port: 22
|
|
ssh_listen_addresses: ['0.0.0.0']
|
|
ssh_permit_root_login: 'no'
|
|
ssh_password_authentication: 'no'
|
|
ssh_pubkey_authentication: 'yes'
|
|
ssh_max_auth_tries: 3
|
|
ssh_client_alive_interval: 300
|
|
ssh_max_sessions: 10
|
|
ssh_allowed_users: [] # Restrict to specific users
|
|
ssh_allowed_groups: ['sudo', 'ssh']
|
|
|
|
# Security hardening
|
|
ssh_kex_algorithms:
|
|
- curve25519-sha256@libssh.org
|
|
- diffie-hellman-group16-sha512
|
|
ssh_ciphers:
|
|
- chacha20-poly1305@openssh.com
|
|
- aes256-gcm@openssh.com
|
|
ssh_macs:
|
|
- hmac-sha2-256-etm@openssh.com
|
|
- hmac-sha2-512-etm@openssh.com
|
|
|
|
# Additional security settings
|
|
ssh_protocol: 2
|
|
ssh_use_dns: 'no'
|
|
ssh_permit_empty_passwords: 'no'
|
|
ssh_challenge_response_auth: 'no'
|
|
ssh_gss_api_authentication: 'no'
|
|
ssh_x11_forwarding: 'no'
|
|
ssh_print_motd: 'no'
|
|
ssh_tcp_keep_alive: 'yes'
|
|
ssh_compression: 'no'
|
|
|
|
# Log level (QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3)
|
|
ssh_log_level: 'INFO'
|
|
|
|
# Maximum number of concurrent unauthenticated connections
|
|
ssh_max_startups: '10:30:100'
|
|
|
|
# Timeout for authentication
|
|
ssh_login_grace_time: '2m'
|