# NO ROOT PermitRootLogin no # git user has access to all repos. no login allowed DenyUsers git # no login shell PermitTTY no # Force run script that checks for permissions and runs sudo ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" # Only public key login is allowed # no password brute force PubkeyAuthentication yes PasswordAuthentication no KbdInteractiveAuthentication no # no forwarding and tunneling DisableForwarding yes PermitTunnel no # ddos protection: default params here for clarity # after 10 unauthenticated connections start dropping randomly # with 30% chance new connections till 100 # then reject every new connection attempt MaxStartups 10:30:100 # max 3 unauthenticated per IP # disabled due to issues even with successfull git commands #PerSourceMaxStartups 3 # Garbage collection of unauthenticated connections LoginGraceTime 10 # Limit authentication tries per connection MaxAuthTries 3 # penalties # we are quite harsh here because bots usually annoy for multiple # days with many requests, so let them accumulate it up to a day PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s # Point keys to shared data dir to avoid regenerating them each time HostKey /var/ssh/etc/ssh/ssh_host_rsa_key HostKey /var/ssh/etc/ssh/ssh_host_ecdsa_key HostKey /var/ssh/etc/ssh/ssh_host_ed25519_key # Logging SyslogFacility AUTH LogLevel INFO