A baseline SSH configuration that works on every Linux I touch
Key-only authentication, restricted ciphers, allowed users, and ProxyJump-friendly settings. The sshd_config I drop into every new server.
I rebuild SSH configuration often enough that I keep a baseline file ready to paste into /etc/ssh/sshd_config.d/00-baseline.conf on every new host. It’s intentionally minimal — five settings that matter, nothing else. Distribution defaults handle the rest.
The file
# /etc/ssh/sshd_config.d/00-baseline.conf
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
AllowUsers admin
# Modern ciphers only
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.comWarning
Before you reload sshd, open a second terminal to the host and confirm you can still log in with your key. If the new config rejects you, the open session lets you fix it. Closing the only working terminal first is how you brick a server.
Apply and verify
$ sshd -t # parse-check the config
$ systemctl reload ssh # debian/ubuntu (or sshd on rhel)
$ ss -ltnp | grep :22 # confirm it's still listeningOn the client side, your ~/.ssh/config should point at the new host with key auth:
Host example
HostName example.com
User admin
IdentityFile ~/.ssh/id_ed25519
IdentitiesOnly yesWhy these specific settings
AllowUsers admin is the under-rated one — even if someone steals a key for any other system user, they can’t reach the SSH layer. AuthenticationMethods publickey makes password fallback impossible regardless of what other files set. The cipher allow-list drops the legacy CBC modes and SHA-1 MACs that auditors flag every year.
That’s it. Five lines of policy plus three cipher allow-lists, applied via sshd_config.d so the distro’s main config stays untouched.