Hardened SSH config

2023-01-28 13:51:01 +01:00 · 2023-01-28 13:51:01 +01:00 · 5b30c056ed
commit 5b30c056ed
parent 6bef7d8ad8
2 changed files with 11 additions and 4 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -20,7 +20,4 @@ chown -R ${USER}:${USER} /config

 set -xv

-/usr/sbin/sshd -D -e -4 \
-    -o "HostKey=${CONFIG_DIR}/ssh_host_rsa_key" \
-    -o "HostKey=${CONFIG_DIR}/ssh_host_ed25519_key" \
-    -o "Port=${PORT}" \
+/usr/sbin/sshd -D -e -4
--- a/10
+++ b/10
@ -1,7 +1,17 @@
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+AuthenticationMethods publickey
+PubkeyAuthentication yes
+AllowUsers bastion
+UsePAM no
 PermitTTY no
 X11Forwarding no
 PermitTunnel no
 GatewayPorts no
+HostKey /config/ssh_host_ed25519_key
+HostKey /config/ssh_host_rsa_key
+Port 2222
 ForceCommand /sbin/nologin
 Match User bastion
    AllowTcpForwarding yes