2019-11-02 18:10:39 +00:00
|
|
|
---
|
|
|
|
sshd_protocol: 2
|
2024-09-16 07:32:50 +00:00
|
|
|
sshd_port: 22
|
2022-01-26 20:02:28 +00:00
|
|
|
sshd_permit_root_login: "yes"
|
|
|
|
sshd_permit_empty_passwords: "no"
|
|
|
|
sshd_password_authentication: "no"
|
|
|
|
sshd_gssapi_authentication: "no"
|
|
|
|
sshd_strict_modes: "yes"
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_allow_groups: []
|
2022-01-26 20:02:28 +00:00
|
|
|
sshd_ignore_rhosts: "yes"
|
|
|
|
sshd_hostbased_authentication: "no"
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_client_alive_interval: 900
|
|
|
|
sshd_client_alive_count_max: 0
|
2022-01-26 20:02:28 +00:00
|
|
|
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_ciphers:
|
|
|
|
- chacha20-poly1305@openssh.com
|
|
|
|
- aes256-gcm@openssh.com
|
|
|
|
- aes128-gcm@openssh.com
|
|
|
|
- aes256-ctr
|
|
|
|
- aes192-ctr
|
|
|
|
- aes128-ctr
|
2022-01-26 20:02:28 +00:00
|
|
|
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_kex:
|
|
|
|
- curve25519-sha256@libssh.org
|
|
|
|
- diffie-hellman-group-exchange-sha256
|
2022-01-26 20:02:28 +00:00
|
|
|
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_moduli_minimum: 2048
|
2022-01-26 20:02:28 +00:00
|
|
|
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_macs:
|
|
|
|
- hmac-sha2-512-etm@openssh.com
|
|
|
|
- hmac-sha2-256-etm@openssh.com
|
|
|
|
- umac-128-etm@openssh.com
|
|
|
|
- hmac-sha2-512
|
|
|
|
- hmac-sha2-256
|
2022-01-26 20:02:28 +00:00
|
|
|
- umac-128@openssh.com
|
|
|
|
|
|
|
|
sshd_allow_agent_forwarding: "no"
|
|
|
|
sshd_x11_forwarding: "yes"
|
|
|
|
sshd_allow_tcp_forwarding: "yes"
|
2019-11-02 18:10:39 +00:00
|
|
|
sshd_compression: delayed
|
|
|
|
sshd_log_level: INFO
|
|
|
|
sshd_max_auth_tries: 6
|
|
|
|
sshd_max_sessions: 10
|
2022-01-26 20:02:28 +00:00
|
|
|
sshd_tcp_keep_alive: "yes"
|
|
|
|
sshd_use_dns: "no"
|
2022-09-19 13:49:40 +00:00
|
|
|
sshd_login_grace_time: 60
|
|
|
|
sshd_max_startups: "10:30:60"
|
2022-01-26 20:02:28 +00:00
|
|
|
|
2022-09-18 20:21:56 +00:00
|
|
|
sshd_crypto_policy_enabled: True
|
2019-11-02 18:10:39 +00:00
|
|
|
|
|
|
|
# @var sshd_challenge_response_authentication:description: >
|
2022-01-26 20:02:28 +00:00
|
|
|
# If you disable password auth you should disable ChallengeResponseAuth also.
|
2019-11-02 18:10:39 +00:00
|
|
|
# @end
|
2022-01-26 20:02:28 +00:00
|
|
|
sshd_challenge_response_authentication: "no"
|
2019-11-02 18:10:39 +00:00
|
|
|
|
|
|
|
# @var sshd_google_auth_enabled:description: >
|
|
|
|
# Google Authenticator required ChallengeResponseAuth!
|
|
|
|
# @end
|
|
|
|
sshd_google_auth_enabled: False
|
|
|
|
# @var sshd_google_auth_exclude_group:description: Exclude a group from 2FA auth
|
|
|
|
# @var sshd_google_auth_exclude_group:example: $ "my_group"
|
|
|
|
# @var sshd_google_auth_exclude_group: $ "_unset_"
|