#########################################################
# https://hiddenssh.com                                 #
#                                                       #
# sshd_backup                                           #
# version 1.1                                           #
# Purpose: Temporary recovery sshd configuration        #
#                                                       #
# Switch sshd configuration:                            #
# sudo /usr/sbin/sshd -f /etc/ssh/sshd_backup           #
# Recommended path/name: /etc/ssh/sshd_backup           #
# Read: https://hiddenssh.com/debug                     #
#########################################################
# Include additional configuration files if present
Include /etc/ssh/sshd_config.d/*.conf

# Deamon
PidFile /var/run/sshd.pid

# Networking/Listen
# Listens on any IP that is binded
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Encryption
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
RekeyLimit default none

# Logging
# Set to debug, for maximum information on what goes wrong.
SyslogFacility AUTH
# DEBUG: Logs debugging messages, which can be quite verbose. Use this for detailed debugging.
# DEBUG1: Debugging level 1 provides a moderate level of detail.
# DEBUG2: Debugging level 2 provides more detail than DEBUG1.
# DEBUG3: The highest level of debugging verbosity, providing very detailed logs.
LogLevel DEBUG3
# Authentication
# Password Authentication
PasswordAuthentication yes
ChallengeResponseAuthentication no
# Never put this to yes! Not even in debug mode.
PermitEmptyPasswords no

# Login Hardening
# Allow Password authentication (/etc/shadow), ONLY in recovery mode.
# Having it disabled in recovery mode, creates more points of failure. 
UsePAM yes
LoginGraceTime 10m
PermitRootLogin no
StrictModes yes
MaxAuthTries 20
MaxSessions 10
# MaxStartups max:threshold:unauthenticated
# max: This sets the maximum number of unauthenticated SSH connections allowed.
# threshold: This is the threshold at which the server will take action to limit the rate of incoming connection attempts.
# unauthenticated: This is the rate at which the server will allow new unauthenticated SSH connections per second once the threshold is reached.
MaxStartups 5:10:30
Subsystem sftp /usr/lib/openssh/sftp-server
PermitTTY yes
# Pointless in a sshd_backup config file
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
TCPKeepAlive yes
UseDNS no
PermitUserEnvironment no
# SSH compression 
# Fewer features/modules, fewer failure points. (sshd_backup specific)
Compression no

# Version Info
VersionAddendum HiddenSSH-Recovery-Mode-Activated
PrintMotd yes
PrintLastLog yes

# Public Keys
PubkeyAuthentication yes
# For this to work, you need to have at least 1 file in $HOME/.ssh/ and correct chmod/rights.
# The correct permission (chmod) for public authentication keys in OpenSSH should be set to 644.
# This means that the owner of the file has read and write permissions (6),
# and everyone else (including the group) has read-only permissions (4).
# Syntax: chmod 644 ~/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 .ssh/authorized_backup .ssh/authorized_backups
HostbasedAuthentication no
AuthorizedPrincipalsFile none
AuthorizedKeysCommand none
AuthorizedKeysCommandUser nobody
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes