gitreef

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 9677eb4ebcb3852faa6b3160f692ef0b2cc61f39
parent af023ee26fefbbd5aada81ae81c031b7d4e37754
Author: Matthias Jaros <jaros@mailbox.org>
Date:   Fri, 14 Nov 2025 22:04:04 +0100

ssh hardening due to lot of attacks

Diffstat:
Msrc/ssh.conf | 33++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/src/ssh.conf b/src/ssh.conf @@ -1,12 +1,33 @@ -# Security, we only want public key login for users and NOT for users root,git +# NO ROOT PermitRootLogin no -PasswordAuthentication no + +# git user has access to all repos. no login allowed +DenyUsers git + +# no login shell +PermitTTY no + +# Force run script that checks for permissions and runs sudo +ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" + +# Only public key login is allowed +# no password brute force PubkeyAuthentication yes +PasswordAuthentication no AuthenticationMethods publickey KbdInteractiveAuthentication no ChallengeResponseAuthentication no -PermitTTY no + +# no forwarding and tunneling +AllowTcpForwarding no AllowAgentForwarding no +X11Forwarding no + +# Limit authentication tries to 1 per connection +MaxAuthTries 1 + +# Do not wait too long for authentication +LoginGraceTime 10 # Point keys to shared data dir to avoid regenerating them each time HostKey /var/ssh/etc/ssh/ssh_host_rsa_key @@ -16,9 +37,3 @@ HostKey /var/ssh/etc/ssh/ssh_host_ed25519_key # Logging SyslogFacility AUTH LogLevel INFO - -# Force run script that checks for permissions and runs sudo -ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" - -# git user has access to EVERYTHING. no login should be possible -DenyUsers git