sshd ==== ====== ============== debian openssh-server ====== ============== .. todo:: refresh sshd_config configuration Check options ------------- :: sshd -t sshd -T List algorithms --------------- :: ssh -Q cipher ssh -Q cipher-auth ssh -Q mac ssh -Q kex ssh -Q key Configure --------- * /etc/ssh/moduli Generate usable prime numbers pool. .. warning:: These are **VERY** long operations! .. code:: shell ssh-keygen -b 4096 -G 4096.G ssh-keygen -f 4096.G -T moduli * /etc/ssh/ssh_host_*_key types: rsa/ed25519/…? .. code:: shell ssh-keygen -b 4096 -f /etc/ssh/ssh_host_rsa_key * /etc/ssh/sshd_config :: # daemon AllowTcpForwarding yes ClientAliveInterval 30 Compression no HostKey /etc/ssh/ssh_host_rsa_key IgnoreRhosts yes LogLevel INFO MaxStartups 16:32:64 PermitTunnel no Port 22 Protocol 2 Subsystem sftp internal-sftp TCPKeepAlive yes UseDNS no UseLogin no UsePAM yes X11Forwarding no # authentication AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication no Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr HostbasedAuthentication no KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 LoginGraceTime 60 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256 PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin without-password PubkeyAuthentication yes StrictModes yes UsePrivilegeSeparation sandbox # prompt Banner none DebianBanner no PrintLastLog yes PrintMotd no VersionAddendum none * authorized_keys .. todo:: about