SSH
openssh-server (getestet mit Version 8.2 - 8.3 Debian Testing und Ubuntu 18.04/20.04)
# WARNING: Check before applying changes! # file: /etc/ssh/sshd_config Protocol 2 # Keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key # Encryption KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Login/Logout: PermitRootLogin no LoginGraceTime 2m StrictModes yes MaxAuthTries 3 MaxSessions 10 ClientAliveInterval 600 ClientAliveCountMax 0 # Authentication Methods PubkeyAuthentication yes HostbasedAuthentication no IgnoreRhosts yes PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM no AuthenticationMethods publickey # Users & Groups # note: possibly overrides AllowGroups, be careful #AllowUsers admin@134.34.1.* user1@134.34.0.0/16 user1@2001:7c0:2800::/40 AllowGroups sudo # Two-Factor-Auth for priviledged users match group sudo PubkeyAuthentication yes PasswordAuthentication yes AuthenticationMethods publickey,password
openssh-client (getestet mit Version 8.0 Debian Testing)
# File: /etc/ssh/ssh_config
# add under Host *
HashKnownHosts yes
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ConnectTimeout 30
ServerAliveInterval 10
ControlMaster auto
ControlPersist yes
ControlPath ~/.ssh/socket-%r@%h:%p