# $Id: sshd_config,v 1.14 2021/10/14 19:53:59 nanons Exp $
#
# sshd(8) configuration (sshd_config(5))

# Listen only on IPv4 loopback (by default listens on all interfaces)
# The SSH server will not be accessible from LAN or the outside world
#AddressFamily inet
#ListenAddress 127.0.0.1

# Disable all authentication methods except public key to minimize
# attack surface.  To use public key authentication, append the contents
# of your key file (id_rsa.pub or id_ed2559.pub, located in the ~/.ssh
# directory) to the remote user's ~/.ssh/authorized_keys file.
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no

# Disable forwarding all supported protocols; remove if needed
# Note that disabling forwarding does not improve security unless users
# are also denied shell access, as they can always install their own
# forwarders.
DisableForwarding yes

# Don't print any system information on interactive login
# Recommended if hosting public SSH services
#PrintLastLog no
#PrintMotd no

# Path to private Ed25519 host key
# Multiple HostKey directives can be used for multiple keys
HostKey /etc/ssh/ssh_host_ed25519_key

# Only allow login as the users "bob" and "alice"
# If you do not use this option, then at least set "PermitRootLogin no"
# to disallow the "root" user from logging in with a public key.
AllowUsers bob alice

# Disallow users other than "bob" access to the TTY
# Allowing TTY access for regular interactive sessions is recommended
PermitTTY no
Match User bob
	PermitTTY yes

# Allow user "puffy" to access the X(7) server
Match User puffy
	X11Forwarding yes
