sshd

debian

openssh-server

Todo

refresh sshd_config configuration

Check options

sshd -t
sshd -T

List algorithms

ssh -Q cipher
ssh -Q cipher-auth
ssh -Q mac
ssh -Q kex
ssh -Q key

Configure

  • /etc/ssh/moduli

Generate usable prime numbers pool.

Warning

These are VERY long operations!

ssh-keygen -b 4096 -G 4096.G
ssh-keygen -f 4096.G -T moduli
  • /etc/ssh/ssh_host_*_key

types: rsa/ed25519/…?

ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key
  • /etc/ssh/sshd_config

# daemon
AllowTcpForwarding yes
ClientAliveInterval 30
Compression no
HostKey /etc/ssh/ssh_host_rsa_key
IgnoreRhosts yes
LogLevel INFO
MaxStartups 16:32:64
PermitTunnel no
Port 22
Protocol 2
Subsystem sftp internal-sftp
TCPKeepAlive yes
UseDNS no
UseLogin no
UsePAM no
X11Forwarding no

# authentication
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
HostbasedAuthentication no
KexAlgorithms sntrup761x25519-sha512@openssh.com
LoginGraceTime 60
MACs hmac-sha2-512-etm@openssh.com
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin prohibit-password
PubkeyAuthentication yes
StrictModes yes
UsePrivilegeSeparation sandbox

# prompt
Banner none
DebianBanner no
PrintLastLog yes
PrintMotd no
VersionAddendum none
  • authorized_keys

Todo

about