From 3fb7e5890f98d8298caf2e64ac1d1a2cded86267 Mon Sep 17 00:00:00 2001
From: bpt <bernardo.p.tomasi@gmail.com>
Date: Wed, 19 Feb 2025 11:56:20 -0300
Subject: [PATCH] ssh config files added

---
 sshd_config              | 95 ++++++++++++++++++++++++++++++++++++++++
 trusted-user-ca-keys.pem |  1 +
 2 files changed, 96 insertions(+)
 create mode 100644 sshd_config
 create mode 100644 trusted-user-ca-keys.pem

diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..2583437
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,95 @@
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+Protocol 2
+#AddressFamily inet
+
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/root_keys .ssh/authorized_keys
+
+# 
+TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/ssh/banner
+
+# Allow client to pass locale environment variables
+#AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/trusted-user-ca-keys.pem b/trusted-user-ca-keys.pem
new file mode 100644
index 0000000..c214b37
--- /dev/null
+++ b/trusted-user-ca-keys.pem
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHTuCVsFNOHlNKviBoQGbrM/6r02TiyH6FXcrZA0W8TD+mQi4tcYZaH8o1zaS0LmdDgCjZEdj3+9kVROQg2P4xhF/RSB4LSd2ofkyI7CWUXKgYmuEOeOe6+/BGG5Pm/1CV9UQWAF+U1s5vkcgS6wRkpqkPs3i+oY17IKLOy/mRX6hFxLVgeQWBCfm4rZB5Tc+ke1ioYKxdEgidciG4qpNfHIENUZ9foc2brQMxFJCmFvwc8t1rngG7KYzKx0ARvM0Z0vmAQ+jHUfCrMU1tNaXLDoKldjvfqlg5cPZDQG554fADoR8v9WoGdfaiUIC1wf6oZK5lW2sNWFaalv9xbIlO6bOLbmCSKNgNwTdlkWJSc+kaFM3YtMOt9nh8Ldnl8JIEN7kAUpksc5XOP35RdTWPQlrpXpUwcWuGmjh2AYHH2rFzZrAgH6cuIJrsRvtFLkEcCYLpfFnET9h3KcDvPX991Pg3XEe1MLr25rWe6rr2TG4nywiF4U6YPpmMrfo+p7UdgdWFxciyq8dUI+ESaTHmoJPpVzW34+/GCGwbpi5Xt2vwKdGD6+cHDMkcjciVuh+9v/N8eiU5ll93wfhSC+Ehe0LyZWpqgsE4hX8NisQoTBKwDBSQ6U86PPmzaRkOLWz7h3G+StOJsMVVzkz3kmGhbRmNriC/JgvlpIRYj9Uk/w==
-- 
GitLab