# This configuration has been automatically generated # by YunoHost Protocol 2 # PLEASE: if you wish to change the ssh port properly in YunoHost, use this command: # yunohost settings set security.ssh.ssh_port -v Port {{ port }} {% if ipv6_enabled == "true" %}ListenAddress ::{% endif %} ListenAddress 0.0.0.0 {% for key in ssh_keys.split() %} HostKey {{ key }}{% endfor %} # ############################################## # Stuff recommended by Mozilla "modern" compat' # https://infosec.mozilla.org/guidelines/openssh # ############################################## {% if compatibility == "intermediate" %} KexAlgorithms diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256 {% else %} # By default use "modern" Mozilla configuration # Keys, ciphers and MACS KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com {% endif %} # LogLevel VERBOSE logs user's key fingerprint on login. # Needed to have a clear audit track of which key was using to log in. SyslogFacility AUTH LogLevel VERBOSE # ####################### # Authentication settings # ####################### # Comment from Mozilla about the motivation behind disabling root login # # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: # # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. # Additionally, only tools such as systemd and auditd record the process session id. # On other OSes, the user session id is not necessarily recorded at all kernel-side. # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. LoginGraceTime 120 PermitRootLogin no StrictModes yes PubkeyAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes # PLEASE: if you wish to force everybody to authenticate using ssh keys, run this command: # yunohost settings set security.ssh.ssh_password_authentication -v no {% if password_authentication == "False" %} PasswordAuthentication no {% else %} #PasswordAuthentication yes {% endif %} # Post-login stuff # Banner none PrintMotd no PrintLastLog yes ClientAliveInterval 60 AcceptEnv LANG LC_* # Disallow user without ssh or sftp permissions AllowGroups ssh.main sftp.main ssh.app sftp.app admins root # Allow users to create tunnels or forwarding AllowTcpForwarding yes AllowStreamLocalForwarding yes PermitTunnel yes PermitUserRC yes # SFTP stuff Subsystem sftp internal-sftp # Apply following instructions to user with sftp perm only Match Group sftp.main,!ssh.main ForceCommand internal-sftp # We can't restrict to /home/%u because the chroot base must be owned by root # So we chroot only on /home # See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component ChrootDirectory /home # Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled) AllowTcpForwarding no AllowStreamLocalForwarding no PermitTunnel no # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled PermitUserRC no Match Group sftp.app,!ssh.app ForceCommand internal-sftp ChrootDirectory %h AllowTcpForwarding no AllowStreamLocalForwarding no PermitTunnel no PermitUserRC no PasswordAuthentication yes # root login is allowed on local networks # It's meant to be a backup solution in case LDAP is down and # user admin can't be used... # If the server is a VPS, it's expected that the owner of the # server has access to a web console through which to log in. Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8 PermitRootLogin yes