Browse Source

Old Arch Linux system

main
Miraty 11 months ago
commit
d0e18be3d1
  1. 3
      README.md
  2. 37
      arch/about.md
  3. 2
      arch/gemini.md
  4. 53
      arch/gmnisrv.md
  5. 30
      arch/installation.md
  6. 8
      arch/knot.md
  7. 23
      arch/maniver.md
  8. 7
      arch/nginx.md
  9. 30
      arch/niver-php.md
  10. 33
      arch/openssh.md
  11. 16
      arch/quota.md
  12. 144
      install.md
  13. 27
      knot.conf
  14. 8
      nginx/dhparam
  15. 71
      nginx/inc/errors.conf
  16. 26
      nginx/inc/fastcgi.conf
  17. 5
      nginx/inc/intermediate.conf
  18. 3
      nginx/inc/modern.conf
  19. 1
      nginx/inc/niver-csp.conf
  20. 24
      nginx/inc/security.conf
  21. 1003
      nginx/mimetypes/full.conf
  22. 39
      nginx/mimetypes/strict.conf
  23. 27
      nginx/nginx.conf
  24. 31
      nginx/sites/niver.atope.art.conf
  25. 27
      php-fpm/errors.conf
  26. 26
      php-fpm/niver.conf
  27. 1
      share/banner.txt
  28. 2
      share/knot.template
  29. 27
      share/nginx/dns.template
  30. 9
      share/nginx/onion.template
  31. 5
      share/skel/about.txt
  32. 88
      sshd_config

3
README.md

@ -0,0 +1,3 @@
# Niver configuration
This repository contains configuration files required by Niver or it's dependencies.

37
arch/about.md

@ -0,0 +1,37 @@
# Niver
## Features
### Web interface
* Login/register using a pseudo/password set
* Pages are lower than 10 KiB
* No JavaScript, no images, and CSS are optionnal
* Dark and light themes
* Free service running libre software
### Hypertext
* SFTP access
* HTTP and Gemini
* IPv4 and IPv6
* TLS 1.2 & 1.3
* DNS and Onion v3 (through Tor) access
* HTTP/1.1 and HTTP/2
* Let's Encrypt certificates for HTTP
* All HTTP security headers
### Nameserver
* DNSSEC (with NSEC3)
* NS, A, AAAA, TXT, and CAA records
### Registry
* Glue record
* DNSSEC delegation with any modern cypher
## Missing features
* No internationalized domain name support (you can only use a small subset of ASCII in your domain name)
* No BIND-style plaintext configuration (you need to fill a form for every record you add or remove)

2
arch/gemini.md

@ -0,0 +1,2 @@
To generate a key/certificate pair with ed25519 expiring in 10 years
`openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt`

53
arch/gmnisrv.md

@ -0,0 +1,53 @@
# gmnisrv installation
```
# pacman -S make git pkgconf openssl scdoc
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
$ mkdir gmnisrv/build
$ cd gmnisrv/build
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
$ make # Build gmnisrv
# make install # Install gmnisrv binary and manpages on the system
# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group
# vim /etc/systemd/system/gmnisrv.service
```
```
[Unit]
Description=A Gemini server
After=network.target
Wants=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/gmnisrv
ExecStop=
#Restart=on-failure
User=gmnisrv
Group=gmnisrv
WorkingDirectory=/srv/ht
[Install]
WantedBy=multi-user.target
```
```
# systemctl daemon-reload
# mkdir -p /srv/gemini/niver.atope.art
# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi
# mkdir /var/local/gmnisrv
# chmod -R 700 /var/local/gmnisrv
# chown -R gmnisrv:gmnisrv /var/local/gmnisrv
# vim /usr/local/etc/gmnisrv.ini
```
```
# Space-separated list of hosts
listen=0.0.0.0:1965 [::]:1965
[:tls]
# Path to store certificates on disk
store=/var/local/gmnisrv
[niver.atope.art]
root=/srv/gemini/niver.atope.art
```

30
arch/installation.md

@ -0,0 +1,30 @@
# Niver system installation
Niver will use and need specific configuration for
* Knot DNS
* OpenSSH
* Nginx
* Tor
* Gmnisrv
* PHP-FPM
To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver.
Niver has been deployed on the following distributions :
* Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel.
* Arch Linux
To provide all features:
`# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite`
Some tools you might find usefull to manage a server:
`# pacman -S vnstat htop nload ufw vim man-db curl screen`
[Gemini](gemini.md)
[Maniver](maniver.md)
[OpenSSH](openssh.md)
[Nginx](nginx.md)

8
arch/knot.md

@ -0,0 +1,8 @@
# Knot setup
```
# systemctl stop knot
# sudo -u knot knotc conf-import /usr/local/share/niver/knot.conf
# systemctl restart knot
# systemctl enable knot
```

23
arch/maniver.md

@ -0,0 +1,23 @@
# Maniver
## Installation
```
# pacman -S rustup git
$ rustup default stable
$ git clone https://code.antopie.org/miraty/maniver-dev
$ cd maniver-dev
$ cargo build --release
# cp ./target/release/maniver /usr/local/bin/
```
## Update
```
$ rustup update
$ cd maniver-dev
$ cargo update
$ git pull
$ cargo build --release
# cp ./target/release/maniver /usr/local/bin/
```

7
arch/nginx.md

@ -0,0 +1,7 @@
# Nginx configuration setup
Use the configuration provided.
Niver require the module *Headers More*.
On Arch Linux, install it with `pacman -Syu nginx-mod-headers-more`.

30
arch/niver-php.md

@ -0,0 +1,30 @@
# Niver-PHP setup
Use pools configurations provided along this documentation.
To hide PHP presence, set in php.ini:
`expose_php = Off`
```
# useradd -U -r -s /usr/bin/nologin php-niver
# useradd -U -r -s /usr/bin/nologin php-errors
```
## Permission to manage system things as root
Once you've [set up Maniver](maniver.md):
```
# EDITOR=vim visudo
php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver
```
## Permission to manage Knot
To add knot as an additional group for user php-niver: `# usermod -aG knot php-niver`
New method:
```
# chmod -R 770 /var/lib/knot
# chown -R php-niver:knot /var/lib/knot
```

33
arch/openssh.md

@ -0,0 +1,33 @@
### SFTP setup
```
# groupadd ht
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
```
To get the ASCII art and SHA-256 fingerprints:
```
# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
```
To generate SSHFP records:
```
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
```
Don't use the first record, which is SHA-1, use the second, which is SHA-256.
`SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>`
For `pkey-algorithm`:
* `1` means RSA
* `2` means DSA (must not be used)
* `3` means ECDSA (should not be used)
* `4` means Ed25519
For `hash-algorithm`:
* `1` means SHA-1 (must not be used)
* `2` means SHA-256

16
arch/quota.md

@ -0,0 +1,16 @@
# Quota setup
```
# pacman -S quota-tool
# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet
# mkfs.ext4 /srv/ht.img
# mkdir /srv/ht
# mount /srv/ht.img /srv/ht
```
```
# quotacheck -gcum /
# quotaon -v /
```
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,relatime,usrquota,grpquota 0 1

144
install.md

@ -0,0 +1,144 @@
# Niver setup on Debian 11 (bullseye)
```
# apt install tor knot openssh-server sudo nginx certbot python3-certbot-nginx php7.4-fpm php-sqlite3 quota
```
## Create system users
```
# useradd -U -r -s /usr/sbin/nologin <username>
```
## Twins
```
$ wget https://golang.org/dl/go1.16.7.linux-amd64.tar.gz -o go.tar.gz
$ tar -xf go.tar.gz
$ go/bin/go get code.rocketnine.space/tslocum/twins
$ cp go/bin/twins /usr/local/bin/
```
## maniver
Installation
```
# apt install gcc git
$ git clone https://code.antopie.org/Niver/maniver && cd maniver
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ cargo build --release
# cp target/release/maniver /usr/local/bin/
# chown root:php-niver /usr/local/bin/maniver
# chmod 750 /usr/local/bin/maniver
```
Update
```
$ git fetch
$ rustup update
$ cargo update
$ cargo build --release
# cp target/release/maniver /usr/local/bin/
```
## gmnisrv
```
# apt install git make pkg-config libssl-dev scdoc
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
$ mkdir gmnisrv/build
$ cd gmnisrv/build
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
$ make # Build gmnisrv
# make install # Install gmnisrv binary and manpages on the system
# useradd -U -r -s /usr/sbin/nologin gmnisrv # Add the gmnisrv system user and group
# vim /etc/systemd/system/gmnisrv.service
```
```
[Unit]
Description=Gmnisrv, a Gemini server
After=network.target
Wants=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/gmnisrv
Restart=always
User=gmnisrv
Group=gmnisrv
WorkingDirectory=/srv/ht
[Install]
WantedBy=multi-user.target
```
```
# systemctl daemon-reload
# mkdir -p /srv/gmi/niver.4.niv.re
# echo "This is a testing Gemini capsule" > /srv/gmi/niver.4.niv.re/index.gmi
# mkdir /var/lib/gemini
# chmod -R 700 /var/lib/gemini
# chown -R gmnisrv:gmnisrv /var/lib/gemini
# vim /etc/gmnisrv.ini
```
```
# Space-separated list of hosts
listen=0.0.0.0:1965 [::]:1965
[:tls]
# Path to store certificates on disk
store=/var/lib/gemini
[niver.4.niv.re]
root=/srv/gmi/niver.4.niv.re
```
## SFTP
```
# groupadd ht
```
## Quota
```
# quotacheck -cm /
# vim /etc/fstab
```
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 usrquota,grpquota,errors=remount-ro 0 1
## Knot DNS
```
# sudo -u knot knotc conf-init
# sudo -u knot knotc conf-import <path to default niver knot conf>
```
## Nginx
Generate a self-signed certificate for default Nginx site.
```
# openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
```
## Niver-PHP
```
# chown -R root:root /usr/local/share/niver
# chmod -R u=rwX,go=rX /usr/local/share/niver
# mkdir /etc/nginx/ht
# chown -R php-niver:php-niver /etc/nginx/ht
# chmod -R 775 /etc/nginx/ht
```
Increase `session.gc_maxlifetime` in /etc/php/7.4/fpm/php.ini to avoid sessions being cleared too soon.
## Tor
This command only exist on Debian
```
# tor-instance-create niver
```

27
knot.conf

@ -0,0 +1,27 @@
server:
rundir: "/run/knot"
user: "knot:knot"
listen: [ "0.0.0.0@53", "::@53" ]
log:
- target: "/var/log/knot.log"
any: "debug"
database:
storage: "/var/lib/knot"
policy:
- id: "niver"
algorithm: "ed25519"
nsec3: "on"
template:
- id: "niver"
storage: "/var/lib/knot/zones"
file: "%s.zone"
dnssec-signing: "on"
dnssec-policy: "niver"
zone:
- domain: "niv.re."
template: "niver"

8
nginx/dhparam

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

71
nginx/inc/errors.conf

@ -0,0 +1,71 @@
recursive_error_pages on;
return 404;
# 403 Forbidden
error_page 403 @403;
location @403 {
root /srv/http/errors;
try_files /403.html =500;
}
# 404 Not Found
error_page 404 @local404;
location @local404 {
try_files /404.html /404.md /404.gmi @niver404;
}
location @niver404 {
root /srv/http/errors;
try_files /404.php =500;
index 404.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/errors.sock;
include inc/fastcgi.conf;
}
# 405 Method Not Allowed
error_page 405 @405;
location @405 {
root /srv/http/errors;
try_files /405.html =500;
}
# 410 Gone
error_page 410 @410;
location @410 {
root /srv/http/errors;
try_files /410.html =500;
}
# 418 I'm a teapot
error_page 418 @418;
location @418 {
root /srv/http/errors;
try_files /418.html =500;
}
# 500 Internal Server Error
error_page 500 @500;
location @500 {
root /srv/http/errors;
try_files /500.html =500;
}
# 502 Bad Gateway
error_page 502 @502;
location @502 {
root /srv/http/errors;
try_files /502.html =500;
}
# 503 Service Unavailable
error_page 503 @503;
location @503 {
root /srv/http/errors;
try_files /503.html =500;
}
# 504 Gateway Timeout
error_page 504 @504;
location @504 {
root /srv/http/errors;
try_files /504.html =500;
}

26
nginx/inc/fastcgi.conf

@ -0,0 +1,26 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

5
nginx/inc/intermediate.conf

@ -0,0 +1,5 @@
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_dhparam /etc/nginx/dhparam;
include inc/security.conf;

3
nginx/inc/modern.conf

@ -0,0 +1,3 @@
ssl_protocols TLSv1.3;
include inc/security.conf;

1
nginx/inc/niver-csp.conf

@ -0,0 +1 @@
more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none';";

24
nginx/inc/security.conf

@ -0,0 +1,24 @@
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";
more_set_headers "X-Download-Options : noopen";
more_set_headers "X-Permitted-Cross-Domain-Policies : none";
more_set_headers "X-Frame-Options : DENY";
more_set_headers "Referrer-Policy : no-referrer";
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
#more_set_headers "Server : nginx Niver";
more_clear_headers Server;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem;
autoindex off;
gzip off;

1003
nginx/mimetypes/full.conf

File diff suppressed because it is too large

39
nginx/mimetypes/strict.conf

@ -0,0 +1,39 @@
types {
text/plain txt;
text/gemini gmi;
text/markdown md;
text/html html;
text/css css;
text/xml xml;
text/csv csv;
text/javascript js;
application/xhtml+xml xhtml;
application/atom+xml atom;
application/rss+xml rss;
application/json json;
application/gzip gz;
application/zip zip;
application/epub+zip epub;
application/pdf pdf;
font/woff woff;
font/woff2 woff2;
image/png png;
image/tiff tif tiff;
image/gif gif;
image/jpeg jpeg jpg;
image/svg+xml svg svgz;
image/webp webp;
audio/mpeg mp3;
audio/ogg ogg oga opus spx;
audio/webm weba;
audio/flac flac;
video/webm webm;
video/mp4 mp4;
video/ogg ogv;
}

27
nginx/nginx.conf

@ -0,0 +1,27 @@
load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
worker_processes auto;
events {}
http {
include mimetypes/strict.conf;
default_type application/octet-stream;
#types_hash_bucket_size 128; # Default: 64
#types_hash_max_size 1024; # Default: 1024
sendfile on;
#tcp_nopush on;
gzip_static on;
include sites/*.conf;
include inc/security.conf;
server_tokens off;
#map $http_accept_language $lang {
# default en;
# ~en en;
# ~fr fr;
#}
}

31
nginx/sites/niver.atope.art.conf

@ -0,0 +1,31 @@
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name niver.atope.art;
root /srv/http/niver;
index index.php index.html index.htm;
try_files $uri $uri/ @extensionless-php; # $uri.html
index index.php;
include inc/modern.conf;
include inc/errors.conf;
error_log /var/log/nginx/niver.atope.art-error.log;
access_log /var/log/nginx/niver.atope.art-access.log;
more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';";
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/niver.sock;
#fastcgi_index index.php;
include inc/fastcgi.conf;
try_files $uri =404;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
}

27
php-fpm/errors.conf

@ -0,0 +1,27 @@
[errors]
user = php-$pool
group = php-$pool
listen = /run/php-fpm/$pool.sock
listen.owner = http
listen.group = http
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/http/$pool
;chroot = /srv/http/$pool
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

26
php-fpm/niver.conf

@ -0,0 +1,26 @@
[niver]
user = php-$pool
group = knot
listen = /run/php-fpm/$pool.sock
listen.owner = http
listen.group = http
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
access.log = /var/log/php/$pool-access.log
chdir = /srv/http/$pool
catch_workers_output = yes
decorate_workers_output = yes
clear_env = yes
security.limit_extensions = .php

1
share/banner.txt

@ -0,0 +1 @@
SFTP Access for Niver users

2
share/knot.template

@ -0,0 +1,2 @@
DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600
DOMAIN 86400 NS ns1.atope.art.

27
share/nginx/dns.template

@ -0,0 +1,27 @@
server {
listen 80;
listen [::]:80;
server_name DOMAIN;
return 301 https://DOMAIN$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name DOMAIN;
root /srv/hyper/USER/hyper/DIR;
ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem;
access_log /var/log/nginx/DOMAIN-access.log;
error_log /var/log/nginx/DOMAIN-error.log;
include /etc/nginx/inc/intermediate.conf.inc;
default_type text/plain;
location / {
try_files $uri $uri.html $uri/ =404;
}
}

9
share/nginx/onion.template

@ -0,0 +1,9 @@
server {
listen [::1]:80;
server_name DOMAIN;
root /srv/hyper/USER/hyper/DIR;
location / {
try_files $uri $uri.html $uri/ =404;
}
}

5
share/skel/about.txt

@ -0,0 +1,5 @@
Ceci est le dossier personnel des utilisataires de Niver.
Vous pouvez téléverser votre site dans un sous-dossier d'ht/.
This is the personnal directory for Niver users.
You can upload your site into a subdirectory of ht/.

88
sshd_config

@ -0,0 +1,88 @@
# Potiron
LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
#VersionAddendum Niver
AllowGroups root ht
Subsystem sftp /usr/lib/ssh/sftp-server
## Network
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port 22
## Cryptography
HostKey /etc/ssh/keys/ed25519
HostKey /etc/ssh/keys/rsa-3072
Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
## Sessions
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 6
MaxSessions 1
MaxStartups 3:20:200
LoginGraceTime 3m
PrintMotd yes
## Disable everything
PermitTTY no
PermitTunnel no
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.
PermitUserRC no
PermitUserEnvironment no
IgnoreRhosts yes
AuthorizedKeysFile none
AuthenticationMethods none
PubkeyAuthentication no
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
## Enable usefull features
### Administrator access
Match Group root
#### Authentication
PubkeyAuthentication yes
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
#### Allow the use of a terminal
PermitTTY yes
### SFTP access
Match Group ht
#### Authentication
PasswordAuthentication yes
AuthenticationMethods password
#AuthorizedKeysFile keys
#### Chroot to the home directory
ChrootDirectory %h # %h is home directory, %u is username
#### Only SFTP can be used
ForceCommand internal-sftp
#### Print a message before login
Banner /usr/local/share/niver/banner.txt