production-openbsd/etc/sshd_config

# /etc/ssh/sshd_config drop-in (or replace upstream) — edge box hardening
# OpenBSD already ships a sane sshd_config; this overrides a few keys.

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
UsePAM no

X11Forwarding no
PermitEmptyPasswords no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
AllowTcpForwarding yes      # WG-tunnel access via SSH for emergencies

LoginGraceTime 30
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Allow only the user account; root locked
AllowUsers user

# Use only modern crypto
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
feat: production-openbsd v0.1 scaffold Sister to s8n/production-deb. Edge-box config + provision script for running the OpenBSD-edge role per s8n/production-setup-audit Topology 02. v0.1 = stock OpenBSD install ISO (interactive, 5 min) + scripted provision from onyx. Autoinstall ISO build deferred to v0.2. Layout: README.md workflow + service mapping (Debian → OpenBSD) flash.sh burn stock install76.iso to USB etc/ pf / relayd / acme-client / unbound / hostname.wg0.example / sshd_config / doas.conf scripts/ provision.sh from onyx: SSH+git clone+run install.sh install.sh on edge: copy /etc/, validate, restart, cron cert-renew-check.sh weekly LE renewal read-logs.sh pull /var/log/ for offline diagnostics docs/ setup-checklist.md 7-phase first-time install walkthrough Hardware target: Dell Precision T5600 per s8n/production-setup-audit/hardware/dell-t5600.md WG mesh: 10.10.10.0/29 between edge (.1) and nullstone (.2). UDP 51820. Keys generated per-host (NEVER committed to repo). Public traffic flow after migration: Internet → router → edge T5600 (relayd TLS term) → wg0 → nullstone Traefik (10.10.10.2:8443, private only) CVE delta vs single-host Debian: regreSSHion + xz backdoor mitigated; public IP runs OpenBSD base only — no systemd, no glibc, no Docker. 2026-05-08 14:10:29 +01:00			`# /etc/ssh/sshd_config drop-in (or replace upstream) — edge box hardening`
			`# OpenBSD already ships a sane sshd_config; this overrides a few keys.`

			`PermitRootLogin no`
			`PasswordAuthentication no`
			`ChallengeResponseAuthentication no`
			`KbdInteractiveAuthentication no`
			`PubkeyAuthentication yes`
			`UsePAM no`

			`X11Forwarding no`
			`PermitEmptyPasswords no`
			`PermitTunnel no`
			`GatewayPorts no`
			`AllowAgentForwarding no`
			`AllowTcpForwarding yes # WG-tunnel access via SSH for emergencies`

			`LoginGraceTime 30`
			`MaxAuthTries 3`
			`ClientAliveInterval 300`
			`ClientAliveCountMax 2`

			`# Allow only the user account; root locked`
			`AllowUsers user`

			`# Use only modern crypto`
			`KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org`
			`HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com`
			`Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com`
			`MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com`