### AniNIX::SSH \\ Basic configuration for listening daemon ###

# Daemon spec #
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Network Performance #
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3

# Forwarding options # 
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no

# Override default of no subsystems to allow SFTP #
Subsystem	sftp	/usr/lib/ssh/sftp-server

# Authentication #
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
DenyGroups [^ssh-allow]
AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no

## Access Controls ###
Match Group ssh-forward
    AllowTcpForwarding yes
    PermitTunnel yes
    AllowAgentForwarding yes
    X11Forwarding yes
      
Match Group sftp-home-jail
    ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
    ChrootDirectory /home # Lock the user in their home directory

Match User crypto
    ForceCommand /usr/local/bin/captivecrypto