sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd
# /etc/ssh/sshd_config | |
# sshd_config(5) | |
# https://man.openbsd.org/sshd_config | |
# https://www.openssh.com/legacy.html | |
AddressFamily inet | |
# Only use IPv4 | |
ListenAddress x.x.x.x | |
# Default is to listen on all local addresses | |
# Better to specify an actual IP address to listen on | |
Protocol 2 | |
# Only use protocol version 2 | |
LogLevel VERBOSE | |
# Logs user's key fingerprint on login | |
HostKey /etc/ssh/ssh_host_ed25519_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
# Key files cannot be group/world-accessible | |
PermitRootLogin no | |
# root user cannot login via SSH | |
AuthenticationMethods publickey | |
# Only allow public key authentication for login | |
Subsystem sftp internal-sftp | |
# Use sshd internal SFTP server code (plays nicer with Chroot) | |
# See https://serverfault.com/a/660325 for differences with | |
# Subsystem sftp /usr/libexec/openssh/sftp-server | |
# If you just scp files you can disable this to reduce attack surface | |
# Cryptography | |
KexAlgorithms curve25519-sha256 | |
# Allow only curve25519 | |
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256 | |
# Allow only ed25519 or ECDSA keys for client authentication | |
# ECDSA for Secretive/ Secure Enclave keys | |
# ed25519 for everything else | |
Ciphers chacha20-poly1305@openssh.com | |
# Only use chacha20-poly1305 | |
# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does | |
# not encrypt message sizes when GCM (or EtM) is in use. | |
# This allows some traffic analysis even without decrypting the data. | |
# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html | |
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com | |
# Only use encrypt then mac (etm) MACs | |
# Allow only HMAC-SHA2-512/256 or UMAC-128 | |
# https://crypto.stackexchange.com/a/56432 |