FossilRepo
| c588255… | ragelink | 1 | # fossilrepo sshd — restricted config for Fossil SSH access. |
| c588255… | ragelink | 2 | # |
| c588255… | ragelink | 3 | # Only the "fossil" system user can log in, and all connections are forced |
| c588255… | ragelink | 4 | # through fossil-shell via authorized_keys command= directives. |
| c588255… | ragelink | 5 | |
| c588255… | ragelink | 6 | Port 22 |
| c588255… | ragelink | 7 | ListenAddress 0.0.0.0 |
| c588255… | ragelink | 8 | |
| c588255… | ragelink | 9 | # Host keys (generated on first boot) |
| c588255… | ragelink | 10 | HostKey /etc/ssh/ssh_host_ed25519_key |
| c588255… | ragelink | 11 | HostKey /etc/ssh/ssh_host_rsa_key |
| c588255… | ragelink | 12 | |
| c588255… | ragelink | 13 | # Auth |
| c588255… | ragelink | 14 | PermitRootLogin no |
| c588255… | ragelink | 15 | PasswordAuthentication no |
| c588255… | ragelink | 16 | PubkeyAuthentication yes |
| c588255… | ragelink | 17 | AuthorizedKeysFile /data/ssh/authorized_keys |
| c588255… | ragelink | 18 | |
| c588255… | ragelink | 19 | # Only allow the fossil user |
| c588255… | ragelink | 20 | AllowUsers fossil |
| c588255… | ragelink | 21 | |
| c588255… | ragelink | 22 | # Force all fossil-user connections through the restricted shell, |
| c588255… | ragelink | 23 | # even if an authorized_keys entry is missing the command= directive. |
| c588255… | ragelink | 24 | ForceCommand /usr/local/bin/fossil-shell |
| c588255… | ragelink | 25 | |
| c588255… | ragelink | 26 | # Disable everything except the sync protocol |
| c588255… | ragelink | 27 | PermitTunnel no |
| c588255… | ragelink | 28 | AllowTcpForwarding no |
| c588255… | ragelink | 29 | X11Forwarding no |
| c588255… | ragelink | 30 | AllowAgentForwarding no |
| c588255… | ragelink | 31 | GatewayPorts no |
| c588255… | ragelink | 32 | PrintMotd no |
| c588255… | ragelink | 33 | |
| c588255… | ragelink | 34 | # Logging |
| c588255… | ragelink | 35 | SyslogFacility AUTH |
| c588255… | ragelink | 36 | LogLevel INFO |