# This is the sshd server system-wide configuration file deployed and managed by # Ansible. # See sshd_config(5) and the "deploy_ssh_server_config" Ansible role for more # information. # This config doesn't set all options and leaves some to the sshd defaults. # The sshd defaults should be alright, so this config is only really setting # options in cases where we want to intentionally have an option a certain way # for some reason or another. For example for hardening, improved loggin, etc. ## Use the HostKey preference, Ciphers and algorithms from Mozillas Modern ## guidelines. # Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com ## Authentication Settings. # Require only "publickey" for authentication. # From Mozillas Modern guidelines. AuthenticationMethods publickey # Enable "PubkeyAuthentication" accordingly. PubkeyAuthentication yes # Don't do the other authentication types. PasswordAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no # Don't allow root login. PermitRootLogin no # Set this to "yes", but have "PasswordAuthentication" and # "ChallengeResponseAuthentication" set to "no", to have account and session # checks run. # See "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config" for more # information. UsePAM yes ## Miscellaneous Settings. # X11 forwarding shouldn't be needed. X11Forwarding no # Printing this isn't needed. PrintMotd no # Print time and date of last login, since that's nice. PrintLastLog yes # Disable general environment processing. PermitUserEnvironment no # Allow client to pass locale environment variables. # From "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config". AcceptEnv LANG LC_* # Request response from client after 120 seconds of no communication. # Taken from "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config". ClientAliveInterval 120 ## Logging # Set "LogLevel" to "VERBOSE" to log users key fingerprints on login. # This is needed for a clear audit track. # From Mozillas Modern guidelines. LogLevel VERBOSE # Enable the sftp subsystem and log properly. # From Mozillas Modern guidelines and # "docs/Debian_11_cloud_2023-04-21_default_etc_ssh_sshd_config". Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO