LogLevel INFO
AllowUsers root
Subsystem sftp internal-sftp
UsePAM yes

# Network

AddressFamily any
ListenAddress [::]
ListenAddress 0.0.0.0
Port 42022

# Cryptography

HostKey /etc/ssh/ed25519

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
HostKeyAlgorithms ssh-ed25519
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

# Sessions

PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 6
MaxSessions 1
MaxStartups 3:20:200
LoginGraceTime 3m
PrintMotd yes

# Disable everything

PermitTTY no
PermitTunnel no

AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.

PermitUserRC no
PermitUserEnvironment no
IgnoreRhosts yes
AuthorizedKeysFile none

AuthenticationMethods none
PubkeyAuthentication no
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Enable what is necessary

Match User root
	PermitTTY yes
	PubkeyAuthentication yes
	AuthenticationMethods publickey
	AuthorizedKeysFile .ssh/authorized_keys