# /etc/ssh/sshd_config drop-in (or replace upstream) — edge box hardening
# OpenBSD already ships a sane sshd_config; this overrides a few keys.

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
UsePAM no

X11Forwarding no
PermitEmptyPasswords no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
AllowTcpForwarding yes      # WG-tunnel access via SSH for emergencies

LoginGraceTime 30
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Allow only the user account; root locked
AllowUsers user

# Use only modern crypto
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com