# CVE-2024-3094 reproduction sshd config.
# CRITICAL: the backdoored RSA_public_decrypt hook lives ONLY in the
# publickey / RSA-certificate verification path, so that path MUST be reachable
# pre-auth. PubkeyAuthentication is enabled and no hardening default is set that
# would reject the offered crafted certificate before it is parsed.

Port 22
ListenAddress 0.0.0.0
AddressFamily inet

# Host keys (generated fresh on each boot by entrypoint.sh).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Keep the pre-auth publickey/certificate path reachable.
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no

# root is the sshd privileged user; prohibit-password still parses offered keys.
PermitRootLogin prohibit-password

UsePAM yes
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server

# Run in foreground, single sshd master, logging to stderr so the container
# captures it.
LogLevel VERBOSE
