# Listen on separate port for backup purposes. Port 2222 # Use the SSH protocol version 2 (which is safer). Protocol 2 # Define dedicated host keys for backup SSH server. HostKey /etc/ssh-backup/ssh_host_rsa_key HostKey /etc/ssh-backup/ssh_host_ecdsa_key HostKey /etc/ssh-backup/ssh_host_ed25519_key # Use privilege separation for increased security. UsePrivilegeSeparation yes # Configure logging. SyslogFacility AUTH LogLevel INFO # Users logging-in have 10 seconds to login upon established connection. LoginGraceTime 10 # Don't allow root accounts logins. PermitRootLogin no # Enforce strict checking of home directory mode. However, this is not used for # the chroots (chroots must check mode). StrictModes yes # Allow public key authentication. PubkeyAuthentication yes # Don't read the user's ~/.rhosts and ~/.shosts files for eventual # RhostsRSAAuthentication or HostbasedAuthentication. IgnoreRhosts yes # Disable host-based authentication. HostbasedAuthentication no # Do not allow logins with empty passwords. PermitEmptyPasswords no # Don't allow challenge-response authentication. ChallengeResponseAuthentication no # Disable password-based authentication. PasswordAuthentication no # Disable X11 forwarding. X11Forwarding no # Do not print motd to avoid eventual issues for clients. PrintMotd no # Do not print the date and time of the last user login. PrintLastLog no # Use TPC keepalives for detecting dead connections. TCPKeepAlive yes # Use the internal SFTP so we can also easily utilise chroot. Subsystem sftp internal-sftp # Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be # used just for session stuff. UsePAM yes # Specify a dedicated PID file for the backup SSH. PidFile /run/sshd-backup.pid # Users logging-in are forced to use the SFTP server. ForceCommand internal-sftp # Chroot logged-in users to their home directories. ChrootDirectory %h # Do not allow any TCP forwarding. AllowTCPForwarding no # Only allow the members of this group to log-in into this instance of OpenSSH # server. AllowGroups backup