SSH

openssh-server (getestet mit Version 8.2 - 8.3 Debian Testing und Ubuntu 18.04/20.04)

# WARNING: Check before applying changes!
# file: /etc/ssh/sshd_config
Protocol 2

# Keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Encryption
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Login/Logout:
PermitRootLogin no 
LoginGraceTime 2m
StrictModes yes
MaxAuthTries 3
MaxSessions 10
ClientAliveInterval 600
ClientAliveCountMax 0

# Authentication Methods
PubkeyAuthentication yes
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no 

AuthenticationMethods publickey

# Users & Groups

# note: possibly overrides AllowGroups, be careful
#AllowUsers admin@134.34.1.* user1@134.34.0.0/16 user1@2001:7c0:2800::/40 

AllowGroups sudo

# Two-Factor-Auth for priviledged users
match group sudo
	PubkeyAuthentication yes
	PasswordAuthentication yes
	AuthenticationMethods publickey,password

openssh-client (getestet mit Version 8.0 Debian Testing)

# File: /etc/ssh/ssh_config
# add under Host *
    HashKnownHosts yes
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    ConnectTimeout 30
    ServerAliveInterval 10
    ControlMaster auto
    ControlPersist yes
    ControlPath ~/.ssh/socket-%r@%h:%p