# TCP port to bind to. # Change to a high/odd port if this server is exposed to the internet directly. Port 22 # Bind to all interfaces (change to specific interface if needed). ListenAddress 0.0.0.0 # Force SSHv2 Protocol. Protocol 2 # HostKeys for protocol version 2. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Privilege Separation is turned on for security. UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key. KeyRegenerationInterval 3600 ServerKeyBits 2048 # Limit SSH access to only certain users. AllowGroups sshusers # Client timeout (5 minutes). ClientAliveInterval 300 ClientAliveCountMax 0 # Compression (only after authentication). Compression delayed # Logging. SyslogFacility AUTH LogLevel VERBOSE # Authentication must happen within 30 seconds. LoginGraceTime 30 # Disable root SSH access. PermitRootLogin no PermitEmptyPasswords no # Check user folder permissions before allowing access. StrictModes yes # Public key authentication + Password authentication. # Two-Factor Authentication in OpenSSH v6.2+. RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication yes AuthenticationMethods publickey,password # Change this depending on where your authorized_keys file is. # This is set as a workaround when using encrypted home directories. # Link: https://joscor.com/2013/05/putty-server-refused-our-key/ AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys # Message Authentication Code (Hash, only SHA2-512). # SHA-256 included for compat with PuTTY-WinCrypt clients. MACs hmac-sha2-512,hmac-sha2-256 # Ciphers (only secure AES-256). Ciphers aes256-cbc,aes256-ctr # Key Exchange algorithms (Elliptic Curve Diffie-Hellman). # DH-SHA-256 included for compat with PuTTY-WinCrypt clients. KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # Don’t read the user’s ~/.rhosts and ~/.shosts files. IgnoreRhosts yes # Disable unused authentication schemes. RhostsRSAAuthentication no HostbasedAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM yes # X11 support. X11Forwarding no # Don’t show Message of the Day. PrintMotd no # TCPKeepAlive (non-tunneled, disabled). TCPKeepAlive no # Allow client to pass locale environment variables. AcceptEnv LANG LC_*