# This is the sshd server system-wide configuration file.

# BSI TR-02102-4 oriented crypto selection
# Notes:
# - SSH protocol v2 only
# - Prefer AEAD (GCM); allow CTR only if you must keep older clients
# - Prefer SHA-2 MACs (and EtM variants if supported)
# - Rekey after 1 GiB or 1 hour

Protocol 2

# Key exchange
KexAlgorithms diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group16-sha512

# Ciphers
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

# Host key algorithms

# Rekey guidance: 1 GiB or 1 hour ---
RekeyLimit 1G 1h

# Authentication:
LoginGraceTime 1m
StrictModes yes
MaxAuthTries 3
MaxSessions 5
PermitEmptyPasswords no

# password-only
PasswordAuthentication yes
PubkeyAuthentication no

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Compression no
ClientAliveInterval 15
ClientAliveCountMax 4

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
HostKey /mnt/rescue-data/.ssh/ssh_host_rsa_key
HostKey /mnt/rescue-data/.ssh/ssh_host_ecdsa_key
HostKey /mnt/rescue-data/.ssh/ssh_host_ed25519_key
