# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This keyword can be followed by a list of group name patterns,
# separated by spaces. If specified, login is allowed only for
# users whose primary group or supplementary group list matches
# one of the patterns.
AllowGroups root _ssh

# The contents of the specified file are sent to the remote
# user before authentication is allowed.
Banner /etc/issue.net

# Specifies whether challenge-response authentication is allowed.
ChallengeResponseAuthentication no

# Specifies the ciphers allowed.
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

# Sets the number of client alive messages (see below) which may
# be sent without sshd(8) receiving any messages back from the
# client. If this threshold is reached while client alive
# messages are being sent, sshd will disconnect the client,
# terminating the session.
ClientAliveCountMax 3

# Sets a timeout interval in seconds after which if no data has
# been received from the client, sshd(8) will send a message
# through the encrypted channel to request a response from the
# client.
ClientAliveInterval 60

# Specifies whether the distribution-specified extra version
# suffix is included during initial protocol handshake.
DebianBanner no

# Disables all forwarding features, including X11, ssh-agent,
# TCP and StreamLocal.
DisableForwarding yes

# Specifies a file containing a private host key used by SSH.
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Specifies the host key algorithms that the server offers.
HostKeyAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com

# Specifies the available KEX (Key Exchange) algorithms.
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

# Specifies the available MAC (message authentication code)
# algorithms.
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

# Specifies whether password authentication is allowed.
PasswordAuthentication no

# Specifies whether should print /etc/motd when a user logs
# in interactively.
PrintMotd no

# Specifies whether sshd should print the date and time of
# the last user login when a user logs in interactively.
PrintLastLog no

# Specifies the key types that will be accepted for public
# key authentication.
PubkeyAcceptedKeyTypes ssh-ed25519

# Configures an external subsystem (e.g. file transfer daemon).
Subsystem sftp internal-sftp

# Enables the Pluggable Authentication Module interface.
UsePAM yes

Include /etc/ssh/sshd_config.d/*.conf
