diff --git a/server/xb000-0/ssh/sshd_config b/server/xb000-0/ssh/sshd_config new file mode 100644 index 0000000..2e88f73 --- /dev/null +++ b/server/xb000-0/ssh/sshd_config @@ -0,0 +1,122 @@ +# Inferencium +# SSH - sshd Configuration + +# Copyright 2023 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause-Clear + +# Version: 0.0.1.1 + + +Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# Keys +HostKey /etc/ssh/ssh-host-ed25519 +HostKeyAlgorithms ssh-ed25519 +KexAlgorithms sntrup761x25519-sha512@openssh.com +PubkeyAcceptedKeyTypes ssh-ed25519 + +# Ciphers +Ciphers chacha20-poly1305@openssh.com + +MACs -* + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication +LoginGraceTime 30s +PermitRootLogin yes +StrictModes yes +MaxAuthTries 1 +MaxSessions 5 + +PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to no to disable s/key passwords +KbdInteractiveAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + +# Allow client to pass locale environment variables. #367017 +AcceptEnv LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + +# Allow client to pass COLORTERM to match TERM. #658540 +AcceptEnv COLORTERM