# TCP port to bind to.
# Change to a high/odd port if this server is exposed to the internet directly.
Port 22

# Bind to all interfaces (change to specific interface if needed).
ListenAddress 0.0.0.0

# Force SSHv2 Protocol.
Protocol 2

# HostKeys for protocol version 2.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Privilege Separation is turned on for security.
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key.
KeyRegenerationInterval 3600
ServerKeyBits 2048

# Limit SSH access to only certain users.
AllowGroups sshusers

# Client timeout (5 minutes).
ClientAliveInterval 300
ClientAliveCountMax 0

# Compression (only after authentication).
Compression delayed

# Logging.
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication must happen within 30 seconds.
LoginGraceTime 30

# Disable root SSH access.
PermitRootLogin no
PermitEmptyPasswords no

# Check user folder permissions before allowing access.
StrictModes yes

# Public key authentication + Password authentication.
# Two-Factor Authentication in OpenSSH v6.2+.
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

# Change this depending on where your authorized_keys file is.
# This is set as a workaround when using encrypted home directories.
# Link: https://joscor.com/2013/05/putty-server-refused-our-key/
AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys

# Message Authentication Code (Hash, only SHA2-512).
# SHA-256 included for compat with PuTTY-WinCrypt clients.
MACs hmac-sha2-512,hmac-sha2-256

# Ciphers (only secure AES-256).
Ciphers aes256-cbc,aes256-ctr

# Key Exchange algorithms (Elliptic Curve Diffie-Hellman).
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients.
KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

# Don’t read the user’s ~/.rhosts and ~/.shosts files.
IgnoreRhosts yes

# Disable unused authentication schemes.
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM yes

# X11 support.
X11Forwarding no

# Don’t show Message of the Day.
PrintMotd no

# TCPKeepAlive (non-tunneled, disabled).
TCPKeepAlive no

# Allow client to pass locale environment variables.
AcceptEnv LANG LC_*