Update configs

config/knot.conf

@@ -1,27 +0,0 @@
-server:
-    rundir: "/run/knot"
-    user: "knot:knot"
-    listen: [ "0.0.0.0@53", "::@53" ]
-
-log:
-  - target: "/var/log/knot.log"
-    any: "debug"
-
-database:
-    storage: "/var/lib/knot"
-
-policy:
-  - id: "niver"
-    algorithm: "ed25519"
-    nsec3: "on"
-
-template:
-  - id: "niver"
-    storage: "/var/lib/knot/zones"
-    file: "%s.zone"
-    dnssec-signing: "on"
-    dnssec-policy: "niver"
-
-zone:
-  - domain: "niv.re."
-    template: "niver"

config/knot/primary.conf

@@ -0,0 +1,48 @@
+server:
+    version: "Knot DNS"
+    nsid: "Potiron"
+    rundir: "/run/knot"
+    user: "knot:knot"
+    listen: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "0.0.0.0@53" ]
+
+log:
+  - target: "/var/log/knot.log"
+    any: "debug"
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: "potironframboise."
+    algorithm: "hmac-sha512"
+    secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+remote:
+  - id: "Framboise"
+    address: [ "2a0b:cbc0:1103:2::106f@53", "45.13.104.169@53" ]
+    key: "potironframboise."
+
+acl:
+  - id: "FramboiseTrans"
+    address: [ "2a0b:cbc0:1103:2::106f", "45.13.104.169" ]
+    key: "potironframboise."
+    action: "transfer"
+
+policy:
+  - id: "niver"
+    algorithm: "ed25519"
+    nsec3: "on"
+
+template:
+  - id: "niver"
+    storage: "/var/lib/knot/zones"
+    file: "%s.zone"
+    notify: "Framboise"
+    acl: "FramboiseTrans"
+    zonefile-load: "difference"
+    dnssec-signing: "on"
+    dnssec-policy: "niver"
+
+zone:
+  - domain: "niv.re."
+    template: "niver"

config/knot/secondary.conf

@@ -0,0 +1,40 @@
+server:
+    version: "Knot DNS"
+    nsid: "Framboise"
+    rundir: "/run/knot"
+    user: "knot:knot"
+    listen: [ "2a0b:cbc0:1103:2::106f@53", "0.0.0.0@53" ]
+
+log:
+  - target: "/var/log/knot.log"
+    any: "debug"
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: "potironframboise."
+    algorithm: "hmac-sha512"
+    secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+remote:
+  - id: "Potiron"
+    address: [ "2a01:e0a:15c:2e40:acab:3:3:3@53", "82.66.61.19@53" ]
+    key: "potironframboise."
+
+acl:
+  - id: "PotironNotif"
+    address: [ "2a01:e0a:15c:2e40:acab:3:3:3", "82.66.61.19" ]
+    key: "potironframboise."
+    action: "notify"
+
+template:
+  - id: "niver"
+    storage: "/var/lib/knot/zones"
+    file: "%s.zone"
+    master: "Potiron"
+    acl: "PotironNotif"
+
+zone:
+  - domain: "niv.re."
+    template: "niver"

config/nginx/default-server.conf

@@ -0,0 +1,29 @@
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    ssl_certificate /etc/ssl/certs/niver.crt;
+    ssl_certificate_key /etc/ssl/private/niver.key;
+    ssl_stapling off;
+
+    root /var/www/errors;
+    try_files index.php index.html $uri $uri/;
+    index index.php index.html;
+
+    location / {
+        root /var/www/errors;
+        try_files /index.php =500;
+        index index.php;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/errors.sock;
+        include /etc/nginx/inc/fastcgi.conf;
+    }
+    
+    include /etc/nginx/inc/tls.conf;
+    include /etc/nginx/inc/errors.conf;
+
+    error_log /var/log/nginx/default-server-error.log info;
+    access_log /var/log/nginx/default-server-access.log;
+
+    more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none';";
+}

config/nginx/dhparam

@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
-+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
-87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
-YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
-7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
-ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
------END DH PARAMETERS-----

config/nginx/http.conf

@@ -0,0 +1,20 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    
+    return 400; # Don't allow unsecure HTTP requests
+    
+    # Display an explanation page
+    error_page 400 @http400;
+    location @http400 {
+    	root /var/www/errors;
+    	try_files /http.php =500;
+   	index http.php;
+   	fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    	fastcgi_pass unix:/var/run/php/errors.sock;
+        include inc/fastcgi.conf;
+    }
+
+    error_log /var/log/nginx/http-error.log info;
+    access_log /var/log/nginx/http-access.log;
+}

config/nginx/inc/errors.conf

@@ -1,9 +1,9 @@
 recursive_error_pages on;
-return 404;
+
 # 403 Forbidden
 error_page 403 @403;
 location @403 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /403.html =500;
 }
 
@@ -13,59 +13,60 @@ location @local404 {
     try_files /404.html /404.md /404.gmi @niver404;
 }
 location @niver404 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /404.php =500;
-    index 404.php;
+    index /404.php;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/var/run/php-fpm/errors.sock;
+    fastcgi_pass unix:/var/run/php/errors.sock;
     include inc/fastcgi.conf;
+    fastcgi_index /404.php;
 }
 
 # 405 Method Not Allowed
 error_page 405 @405;
 location @405 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /405.html =500;
 }
 
 # 410 Gone
 error_page 410 @410;
 location @410 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /410.html =500;
 }
 
 # 418 I'm a teapot
 error_page 418 @418;
 location @418 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /418.html =500;
 }
 
 # 500 Internal Server Error
 error_page 500 @500;
 location @500 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /500.html =500;
 }
 
 # 502 Bad Gateway
 error_page 502 @502;
 location @502 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /502.html =500;
 }
 
 # 503 Service Unavailable
 error_page 503 @503;
 location @503 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /503.html =500;
 }
 
 # 504 Gateway Timeout
 error_page 504 @504;
 location @504 {
-    root /srv/http/errors;
+    root /var/www/errors;
     try_files /504.html =500;
 }

config/nginx/inc/ffdhe3072.pem

@@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
+N///////////AgEC
+-----END DH PARAMETERS-----

config/nginx/inc/ffdhe4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

config/nginx/inc/intermediate.conf

@@ -1,5 +0,0 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-ssl_dhparam /etc/nginx/dhparam;
-
-include inc/security.conf;

config/nginx/inc/security.conf

@@ -3,22 +3,17 @@ more_set_headers "X-XSS-Protection : 1; mode=block";
 more_set_headers "X-Download-Options : noopen";
 more_set_headers "X-Permitted-Cross-Domain-Policies : none";
 more_set_headers "X-Frame-Options : DENY";
-more_set_headers "Referrer-Policy : no-referrer";
+more_set_headers "Referrer-Policy : same-origin"; # no-referrer
 more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
 #more_set_headers "Server : nginx Niver";
 
 more_clear_headers Server;
 
+ssl_prefer_server_ciphers off;
+
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
-ssl_prefer_server_ciphers off;
-ssl_stapling on;
-ssl_stapling_verify on;
-
-ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem;
-
-autoindex off;
 
-gzip off;
+#ssl_stapling on;
+#ssl_stapling_verify on;

config/nginx/inc/tls.conf

@@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;#:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+
+ssl_ecdh_curve X25519:X448;
+
+#ssl_dhparam /etc/nginx/inc/ffdhe3072.pem;
+
+include inc/security.conf;

config/nginx/mimetypes/full.conf

@@ -1,3 +1,4 @@
+default_type  application/octet-stream;
 types {
 application/A2L					a2l;
 application/AML					aml;

config/nginx/mimetypes/strict.conf

@@ -1,3 +1,4 @@
+default_type text/plain;
 types {
     text/plain            txt;
     text/gemini           gmi;

config/nginx/nginx.conf

@@ -1,24 +1,34 @@
 load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
 worker_processes auto;
+user www-data www-data;
 
 events {}
 http {
-    include       mimetypes/strict.conf;
-    default_type  application/octet-stream;
+    include mimetypes/strict.conf;
 
-    #types_hash_bucket_size 128; # Default: 64
-    #types_hash_max_size 1024; # Default: 1024
+    types_hash_bucket_size 128; # Default: 64
+    types_hash_max_size 1024; # Default: 1024
+    server_names_hash_bucket_size 128;
 
-    sendfile        on;
+    #sendfile        on;
     #tcp_nopush     on;
     
     gzip_static on;
 
+    log_format tls '$remote_addr $ssl_protocol $ssl_cipher [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
+
+    include http.conf;
+    include default-server.conf;
     include sites/*.conf;
-    include inc/security.conf;
+    include ht/*.conf;
 
     server_tokens off;
     
+    autoindex off;
+
+    gzip off;
+
+
     #map $http_accept_language $lang {
     #    default en;
     #    ~en en;

config/nginx/sites/freebox.conf.dis

@@ -0,0 +1,48 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name mafreebox.freebox.fr;
+
+    #root /var/www/niver;
+    #index index.php index.html index.htm;
+    #try_files $uri $uri/ @extensionless-php; # $uri.html
+
+    include inc/tls.conf;
+    include inc/errors.conf;
+
+    error_log /var/log/nginx/freebox-error.log info;
+    access_log /var/log/nginx/freebox-access.log;
+
+    #more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';";
+
+    #location ~ ^/motrig/(db|less|lessphp|inc|niver.log) {
+    #    return 403;
+    #}
+    location / {
+        allow 2a0b:cbc0:1103:2::106f;
+        allow 192.168.1.9;
+	deny all;
+        proxy_pass https://mafreebox.freebox.fr;
+        proxy_ssl_verify off;    
+    }
+
+    #location ~ \.inc.php$ {
+   #    return 403;
+   # }
+
+    #location ~ \.php$ {
+    #    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    #    fastcgi_pass unix:/var/run/php/niver.sock;
+    #    #fastcgi_index index.php;
+    #    include inc/fastcgi.conf;
+    #    try_files $uri =404;
+    #}
+
+    #location @extensionless-php {
+    #    rewrite ^(.*)$ $1.php last;
+    #}
+
+    ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem;
+}
+

config/nginx/sites/niver.4.niv.re.conf

@@ -0,0 +1,47 @@
+#server {
+#    listen 80;
+#    listen [::]:80;
+#    server_name niver.4.niv.re;
+#    return 301 https://niver.4.niv.re$request_uri;
+#}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name niver.4.niv.re;
+
+    root /var/www/niver;
+    index index.php index.html index.htm;
+    try_files $uri $uri/ @extensionless-php;
+
+    include inc/tls.conf;
+    include inc/errors.conf;
+
+    error_log /var/log/nginx/niver.4.niv.re-error.log info;
+    access_log /var/log/nginx/niver.4.niv.re-access.log tls;
+
+    more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self'; frame-ancestors 'none';";
+
+    location ~ ^/motrig/(db|less|lessphp|inc|niver.log) {
+    	return 403;
+    }
+
+    location ~ \.inc.php$ {
+    	return 403;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/niver.sock;
+        #fastcgi_index index.php;
+        include inc/fastcgi.conf;
+        try_files $uri =404;
+    }
+
+    location @extensionless-php {
+        rewrite ^(.*)$ $1.php last;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/niver.4.niv.re/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/niver.4.niv.re/privkey.pem;
+}

config/nginx/sites/niver.atope.art.conf

@@ -1,31 +0,0 @@
-server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
-    server_name niver.atope.art;
-
-    root /srv/http/niver;
-    index index.php index.html index.htm;
-    try_files $uri $uri/ @extensionless-php; # $uri.html 
-    index index.php;
-
-    include inc/modern.conf;
-    include inc/errors.conf;
-
-    error_log /var/log/nginx/niver.atope.art-error.log;
-    access_log /var/log/nginx/niver.atope.art-access.log;
-
-    more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';";
-
-    location ~ \.php$ {
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/var/run/php-fpm/niver.sock;
-        #fastcgi_index index.php;
-        include inc/fastcgi.conf;
-        try_files $uri =404;
-    }
-
-    location @extensionless-php {
-        rewrite ^(.*)$ $1.php last;
-    }
-    
-}

config/php-fpm/errors.conf

@@ -3,10 +3,10 @@
 user = php-$pool
 group = php-$pool
 
-listen = /run/php-fpm/$pool.sock
+listen = /run/php/$pool.sock
 
-listen.owner = http
-listen.group = http
+listen.owner = www-data
+listen.group = www-data
 
 pm = dynamic
 pm.max_children = 5
@@ -16,8 +16,8 @@ pm.max_spare_servers = 3
 
 access.log = /var/log/php/$pool-access.log
 
-chdir = /srv/http/$pool
-;chroot = /srv/http/$pool
+;chroot = /var/www/errors
+chdir = /var/www/errors
 
 catch_workers_output = yes
 decorate_workers_output = yes

config/php-fpm/niver.conf

@@ -3,10 +3,10 @@
 user = php-$pool
 group = knot
 
-listen = /run/php-fpm/$pool.sock
+listen = /run/php/$pool.sock
 
-listen.owner = http
-listen.group = http
+listen.owner = www-data
+listen.group = www-data
 
 pm = dynamic
 pm.max_children = 5
@@ -16,7 +16,7 @@ pm.max_spare_servers = 3
 
 access.log = /var/log/php/$pool-access.log
 
-chdir = /srv/http/$pool
+chdir = /var/www/$pool
 
 catch_workers_output = yes
 decorate_workers_output = yes

config/share/knot.template

@@ -1,2 +1,3 @@
-DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600
-DOMAIN 86400 NS ns1.atope.art.
+DOMAIN 3600 SOA potiron.niver.4.niv.re. hostmaster.antopie.org. 1 21600 7200 3628800 3600
+DOMAIN 86400 NS potiron.niver.4.niv.re.
+DOMAIN 86400 NS framboise.niver.4.niv.re.

config/share/nginx/dns.template

@@ -1,23 +1,16 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name DOMAIN;
-    return 301 https://DOMAIN$request_uri;
-}
-
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     server_name DOMAIN;
-    root /srv/hyper/USER/hyper/DIR;
+    root /srv/ht/USER/ht/DIR;
 
-    ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem;
+    ssl_certificate /etc/ssl/certs/niver.crt;
+    ssl_certificate_key /etc/ssl/private/niver.key;
 
     access_log /var/log/nginx/DOMAIN-access.log;
     error_log /var/log/nginx/DOMAIN-error.log;
 
-    include /etc/nginx/inc/intermediate.conf.inc;
+    include inc/tls.conf;
 
     default_type text/plain;
 

config/share/nginx/onion.template

@@ -1,7 +1,12 @@
 server {
     listen [::1]:80;
     server_name DOMAIN;
-    root /srv/hyper/USER/hyper/DIR;
+    root /srv/ht/USER/ht/DIR;
+
+    include inc/errors.conf;
+
+    access_log off;
+    error_log off;
 
     location / {
         try_files $uri $uri.html $uri/ =404;

config/share/skel/about.txt

@@ -1,5 +1,5 @@
-Ceci est le dossier personnel des utilisataires de Niver.
+Ceci est l'espace dédié à vos sites.
 Vous pouvez téléverser votre site dans un sous-dossier d'ht/.
 
-This is the personnal directory for Niver users.
+This is the space dedicated to your sites.
 You can upload your site into a subdirectory of ht/.

config/sshd_config

@@ -3,7 +3,8 @@
 LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 #VersionAddendum Niver
 AllowGroups root ht
-Subsystem sftp /usr/lib/ssh/sftp-server
+Subsystem sftp internal-sftp
+#Subsystem sftp sftp-server
 
 ## Network
 
@@ -14,8 +15,8 @@ Port 22
 
 ## Cryptography
 
-HostKey /etc/ssh/keys/ed25519
-HostKey /etc/ssh/keys/rsa-3072
+HostKey /etc/ssh/ed25519
+HostKey /etc/ssh/rsa-3072
 
 Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
 HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
@@ -32,6 +33,8 @@ MaxStartups 3:20:200
 LoginGraceTime 3m
 PrintMotd yes
 
+UsePAM yes
+
 ## Disable everything
 
 PermitTTY no
@@ -55,8 +58,6 @@ KbdInteractiveAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 
-UsePAM no
-
 ## Enable usefull features
 
 ### Administrator access