diff options
Diffstat (limited to 'sshd_code_user.conf')
| -rw-r--r-- | sshd_code_user.conf | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/sshd_code_user.conf b/sshd_code_user.conf new file mode 100644 index 0000000..19ef103 --- /dev/null +++ b/sshd_code_user.conf @@ -0,0 +1,28 @@ +# SSH configuration for the "code" user +# This user can only access git repositories and cannot read other system files + +# Explicitly deny root login +PermitRootLogin no + +# Deny user environment manipulation globally +PermitUserEnvironment no + +# Only allow the "code" user to login via SSH +AllowUsers code + +Match User code + # Only allow public key authentication + PubkeyAuthentication yes + PasswordAuthentication no + PermitEmptyPasswords no + + # Use authorized_keys from a volume mount (outside the repositories directory) + AuthorizedKeysFile /etc/ssh/authorized_keys_code + + # Restrict to necessary commands only - harden SSH + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + PermitTunnel no + GatewayPorts no + PermitTTY yes |