| 1 | # Managed by Ansible. Ops admins log in as the operator user (with |
| 2 | # their own ed25519 key in ~/.ssh/authorized_keys); git users are |
| 3 | # all multiplexed under the `git` user via shithubd's AKC subcommand. |
| 4 | |
| 5 | Port 22 |
| 6 | Protocol 2 |
| 7 | PermitRootLogin no |
| 8 | PasswordAuthentication no |
| 9 | ChallengeResponseAuthentication no |
| 10 | KbdInteractiveAuthentication no |
| 11 | PubkeyAuthentication yes |
| 12 | AuthenticationMethods publickey |
| 13 | PermitEmptyPasswords no |
| 14 | X11Forwarding no |
| 15 | AllowAgentForwarding no |
| 16 | AllowTcpForwarding no |
| 17 | ClientAliveInterval 60 |
| 18 | ClientAliveCountMax 3 |
| 19 | LoginGraceTime 30 |
| 20 | MaxAuthTries 3 |
| 21 | MaxSessions 10 |
| 22 | MaxStartups 100:30:200 |
| 23 | |
| 24 | # Per-user AKC: when a user named `git` connects, shithubd resolves |
| 25 | # the offered key fingerprint to a shithub user via the user_ssh_keys |
| 26 | # table and emits the matching authorized_keys line (including the |
| 27 | # `command=...` prefix that locks the session to git protocol). |
| 28 | Match User git |
| 29 | AuthorizedKeysCommand /usr/local/bin/shithubd ssh-authkeys %f |
| 30 | AuthorizedKeysCommandUser shithub-ssh |
| 31 | PermitTTY no |
| 32 | AllowAgentForwarding no |
| 33 | AllowTcpForwarding no |
| 34 | PermitOpen none |
| 35 | X11Forwarding no |
| 36 | PermitTunnel no |
| 37 | Banner none |
| 38 |