# ~/.shh/config # ssh_config(5) Host*# For all hosts use the following directives Protocol2# Use only protocol version two IdentitiesOnlyyes# By default ssh will send all public keys (identities) in ~/.ssh to the server if you don't specify which key to use with -i # This prevents that by only using the public keys explicitly configured in config or specified with -i VisualHostKeyyes# Print an ASCII art representation of the remote host key fingerprint at login and for unknown host keys HashKnownHostsyes# Hash host names and addresses when they are added to ~/.ssh/known_hosts. # ssh-keygen -R hostname # Removes all keys belonging to hostname from a known_hosts file. UseRoamingno# Mitigates CVE-0216-0777 # Cryptography KexAlgorithmscurve25519-sha256# Allow only curve25519HostKeyAlgorithmsssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256# Allow ed25519, ECDSA and RSA SHA2 keys for client authentication# ed25519 is the preferred key type# ECDSA for Secretive/ Secure Enclave keys# rsa-sha2-* for compatibilityCipherschacha20-poly1305@openssh.com# Only use chacha20-poly1305# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does # not encrypt message sizes when GCM (or EtM) is in use. # This allows some traffic analysis even without decrypting the data.# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.htmlMACshmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com# Only use encrypt then mac (etm) MACs# Allow only HMAC-SHA2-512/256 or UMAC-128# https://crypto.stackexchange.com/a/56432
Server
Permissions
Only allow your user to access ~/.ssh and ~/.ssh/authorized_keys.
chmod700~/.sshchmod600~/.ssh/authorized_keys
These permissions are required by the StrictModes directive.
sshd_config
# /etc/ssh/sshd_config # sshd_config(5) AddressFamilyinet# Only use IPv4 ListenAddressx.x.x.x# Default is to listen on all local addresses # Better to specify an actual IP address to listen on Protocol2# Only use protocol version 2 LogLevelVERBOSE# Logs user's key fingerprint on login HostKey/etc/ssh/ssh_host_ed25519_keyHostKey/etc/ssh/ssh_host_ecdsa_keyHostKey/etc/ssh/ssh_host_rsa_key# Key files cannot be group/world-accessible PermitRootLoginno# root user cannot login via SSH AuthenticationMethodspublickey# Only allow public key authentication for login Subsystemsftpinternal-sftp# Use sshd internal SFTP server code (plays nicer with Chroot) # See https://serverfault.com/a/660325 for differences with # Subsystem sftp /usr/libexec/openssh/sftp-server # If you just scp files you can disable this to reduce attack surface # Cryptography KexAlgorithmscurve25519-sha256# Allow only curve25519HostKeyAlgorithmsssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256# Allow ed25519, ECDSA and RSA SHA2 keys for client authentication# ECDSA for Secretive/ Secure Enclave keys# ed25519 is the preferred key type# rsa-sha2-* for compatibilityCipherschacha20-poly1305@openssh.com# Only use chacha20-poly1305# Chacha20-poly1305 is preferred over AES-GCM because the SSH protocol does # not encrypt message sizes when GCM (or EtM) is in use. # This allows some traffic analysis even without decrypting the data.# See: http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.htmlMACshmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com# Only use encrypt then mac (etm) MACs# Allow only HMAC-SHA2-512/256 or UMAC-128# https://crypto.stackexchange.com/a/56432
Debugging sshd Issues
sudosshd-t# Test mode. Only check the validity of the configuration file and sanity of the keys.
sudosystemctlrestartsshd# On systemd based systems restart the sshd service
sudosystemctlstatussshd# On systemd based systems print the status of the sshd service