# VA1DER - qro.va1der.ca's local config for sshd /etc/ssh/local.conf
#
# Some recommendations from "Secure Secure Shell", retrieved from
# https://stribika.github.io/2015/01/04/secure-secure-shell.html

# Default is only 6, but with only pubkey auth allowed, are even that many needed? 
MaxAuthTries 2

# Protocol 2 has long been the default, but let's make it explicit just for safety...
Protocol 2

# Make sure that only the users attached to the ssh group can ssh in
AllowGroups ssh

# KexAlgorighthms is much simplified since sntrup761x25519, which combines both lattice and (a trustworthy) elliptic curve
KexAlgorithms sntrup761x25519-sha512@openssh.com
# Ciphers is also much simplified with chacha20 which is both faster and more secure than AES and comes bundled with its own MAC
Ciphers chacha20-poly1305@openssh.com
# No need to specify a MAC since our only cipher comes with its own baked in, but just in case more ciphers are added, lets limit ourselves to proper ones:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Pick one host key type and run with it.  No need for multiple types any more.
# ed25519 is a solid choice, small key sized and fast connections, but only 128-bit-level security
#HostKeyAlgorithms ssh-ed25519
# RSA 16384-bit is still the highest security you can use, but connections are a bit slower to start
HostKeyAlgorithms rsa-sha2-512

# Choose a host key based on the algo above
#HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa16384_key

# No passwords, just pubkey
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

AllowTcpForwarding yes
X11Forwarding yes

# Let's keep sessions alive.  This allows you to step away from the
# computer for a bit without the connection dying.
TCPKeepAlive yes
# Server will sent a client a keepalive every 5 minutes an disconnect it if
# that fails 12 times (an hour)
ClientAliveInterval 300
ClientAliveCountMax 12