infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

sshd_config.j2

(837B)

      1 AllowUsers user
      2 
      3 # Supported HostKey algorithms by order of preference.
      4 HostKey /etc/ssh/ssh_host_ed25519_key
      5  
      6 # Specifies the available ciphers, kex, and mac algorithms.
      7 KexAlgorithms curve25519-sha256
      8 Ciphers chacha20-poly1305@openssh.com
      9 MACs hmac-sha2-512-etm@openssh.com
     10  
     11 # LogLevel VERBOSE logs user's key fingerprint on login
     12 # Needed to have a clear audit track of which key was using to log in.
     13 LogLevel VERBOSE
     14  
     15 # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
     16 Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
     17 
     18 # Disable root user login
     19 PermitRootLogin no
     20 ChallengeResponseAuthentication no
     21 PasswordAuthentication no
     22 
     23 # Disable password-based login
     24 AuthenticationMethods publickey
     25 PubkeyAuthentication yes
     26 PermitEmptyPasswords no
     27 AuthorizedKeysFile	.ssh/authorized_keys
     28