# `man sshd_config` says "for each keyword, the first obtained value will be used". So I decided to put my configs before all others to override them all. # Based on manpage, setting PasswordAuthentication no, and Arch Linux default KbdInteractiveAuthentication no, with other defaults seems already equivalent to AuthenticationMethods publickey, but I still put it here for redundancy. # https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication AuthenticationMethods publickey PermitRootLogin no PasswordAuthentication no # KbdInteractiveAuthentication no and UsePAM yes are Arch Linux default settings see /etc/ssh/sshd_config.d/00-archlinux.conf, I need these configs, I put them here just in case Arch Linux change the defaults in the future. KbdInteractiveAuthentication no UsePAM yes # when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config AcceptEnv COLORTERM # https://unix.stackexchange.com/a/472848 wrote about sshd_config AllowUsers # CIDR address: "Notice that that will not work with 'inconsistent' addresses # (where the bits outside the mask are not all 0, eg. 192.168.177.0/22)". My # understanding is that 177 in binary is 10110001, 32-22=10 so 192.168.177.0 # last 10 binary are 0100000000, note there's a 1 so it will not work; and # 192.168.176.0/22 works because its last 10 binary are all 0. `man # sshd_config` also wrote about this: "Note that the mask length provided must # be consistent with the address - it is an error to specify a mask length that # is too long for the address or one with bits set in this host portion of the # address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively."; the # second part of the comment "one with bits set in this host portion of the # address" with the example CIDR ip 192.0.2.0/8 matched my understanding above, # 192.0.2.0/8 has a 2 which is 10 in binary which is a bit set "in" the CIDR /8 # range, so it will not work. Just before that quote, it also gives an example # of 192.0.2.0/24 which should work. Not tested. # # My test shows `AllowUsers gitolite@localhost` does not work, so I use # 127.0.0.1 and ::1 AllowUsers gitolite@10.0.0.0/24 gitolite@127.0.0.1 gitolite@::1 # Include drop-in configurations Include /etc/ssh/sshd_config.d/*.conf # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to "no" here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to "no" to disable keyboard-interactive authentication. Depending on # the system's configuration, this may involve passwords, challenge-response, # one-time passwords or some combination of these and other methods. #KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin prohibit-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server