value; } } $usePAM = $pam ?? PAM::no->getValue(); // yes or no enum INet: string { case IPv4 = "inet"; case IPv6 = "inet6"; case any = "any"; public function getValue(): string { return $this->value; } } $allowedInet = $inet ?? INet::any->getValue(); // any, IPv4, or IPv6 force_root(); run_once(); if ($rekey == "yes") { if (file_exists("/etc/ssh/ssh_host_rsa_key")) { cp("/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_rsa_key_backup"); rm("/etc/ssh/ssh_host_rsa_key"); } if (file_exists("/etc/ssh/ssh_host_ed25519_key")) { cp("/etc/ssh/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key_backup"); rm("/etc/ssh/ssh_host_ed25519_key"); } do_command('keygen::rsa', "/etc/ssh/ssh_host_rsa_key"); do_command('keygen::ed25519', "/etc/ssh/ssh_host_ed25519_key"); } $sshd = "Protocol 2 Port $PortNumber AddressFamily $allowedInet #ListenAddress :: #ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key #TrustedUserCAKeys #HostCertificate # Ciphers and keying HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa PubkeyAcceptedKeyTypes sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 RekeyLimit default none # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin no AllowUsers $AllowUsers #AllowGroups ssh_users #DenyGroups StrictModes yes MaxAuthTries 6 MaxSessions 10 #Privilege Separation is turned on for security UsePrivilegeSeparation yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts HostbasedAuthentication no IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no AuthenticationMethods publickey,keyboard-interactive:pam # Kerberos options KerberosAuthentication no KerberosOrLocalPasswd yes KerberosTicketCleanup yes KerberosGetAFSToken no # GSSAPI options GSSAPIAuthentication no GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of \"PermitRootLogin without-password\". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM $usePAM AllowAgentForwarding no AllowTcpForwarding no GatewayPorts no X11Forwarding no X11DisplayOffset 10 X11UseLocalhost no PermitTTY yes PrintMotd no PrintLastLog yes TCPKeepAlive yes PermitUserEnvironment no Compression yes ClientAliveInterval 0 ClientAliveCountMax 3 UseDNS no PidFile /var/run/sshd.pid MaxStartups 10:30:100 PermitTunnel no ChrootDirectory none VersionAddendum none DebianBanner no Banner /etc/notice.txt # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /bin/sh -c 'umask 0002; /usr/lib/openssh/sftp-server' # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server # Include /etc/ssh/sshd_config_cvs.d/*.conf"; if (file_exists("/etc/ssh/sshd_config")) { mv("/etc/ssh/sshd_config", "/etc/ssh/sshd_config.old"); } append_to_file("/etc/ssh/sshd_config", $sshd); chmod_file_or_dir("/etc/ssh/sshd_config", "config"); $banner = "*************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ****************************************************************************"; if (! file_exists("/etc/notice.txt")) { append_to_file("/etc/notice.txt", $banner); chmod_file_or_dir("/etc/notice.txt", "normal"); }