diff options
author | Pacien TRAN-GIRARD | 2016-11-08 11:58:58 +0100 |
---|---|---|
committer | Pacien TRAN-GIRARD | 2016-11-08 11:58:58 +0100 |
commit | 60db222b4a927b48d32b10115480608609875965 (patch) | |
tree | bb72a46b1ecf33d14b8606f225422b4f2aa8b53e /sshd_config | |
parent | 42c34ed184f8dc225fe3562ced33110a08d12d6c (diff) | |
download | ssh-hardened-60db222b4a927b48d32b10115480608609875965.tar.gz |
Import default configuration
Diffstat (limited to 'sshd_config')
-rw-r--r-- | sshd_config | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..a67aa8a --- /dev/null +++ b/sshd_config | |||
@@ -0,0 +1,152 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ | ||
2 | |||
3 | # This is the sshd server system-wide configuration file. See | ||
4 | # sshd_config(5) for more information. | ||
5 | |||
6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
7 | |||
8 | # The strategy used for options in the default sshd_config shipped with | ||
9 | # OpenSSH is to specify options with their default value where | ||
10 | # possible, but leave them commented. Uncommented options override the | ||
11 | # default value. | ||
12 | |||
13 | #Port 22 | ||
14 | #AddressFamily any | ||
15 | #ListenAddress 0.0.0.0 | ||
16 | #ListenAddress :: | ||
17 | |||
18 | # The default requires explicit activation of protocol 1 | ||
19 | #Protocol 2 | ||
20 | |||
21 | # HostKey for protocol version 1 | ||
22 | #HostKey /etc/ssh/ssh_host_key | ||
23 | # HostKeys for protocol version 2 | ||
24 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
25 | #HostKey /etc/ssh/ssh_host_dsa_key | ||
26 | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
27 | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
28 | |||
29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | ||
30 | # to maintain compatibility with RFC4419, but should be set higher. | ||
31 | # Upstream default is identical to setting this to 2048. | ||
32 | #KexDHMin 1024 | ||
33 | |||
34 | # Lifetime and size of ephemeral version 1 server key | ||
35 | #KeyRegenerationInterval 1h | ||
36 | #ServerKeyBits 1024 | ||
37 | |||
38 | # Ciphers and keying | ||
39 | #RekeyLimit default none | ||
40 | |||
41 | # Logging | ||
42 | # obsoletes QuietMode and FascistLogging | ||
43 | #SyslogFacility AUTH | ||
44 | #LogLevel INFO | ||
45 | |||
46 | # Authentication: | ||
47 | |||
48 | #LoginGraceTime 2m | ||
49 | #PermitRootLogin yes | ||
50 | #StrictModes yes | ||
51 | #MaxAuthTries 6 | ||
52 | #MaxSessions 10 | ||
53 | |||
54 | #RSAAuthentication yes | ||
55 | #PubkeyAuthentication yes | ||
56 | |||
57 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
58 | # but this is overridden so installations will only check .ssh/authorized_keys | ||
59 | AuthorizedKeysFile .ssh/authorized_keys | ||
60 | |||
61 | #AuthorizedPrincipalsFile none | ||
62 | |||
63 | #AuthorizedKeysCommand none | ||
64 | #AuthorizedKeysCommandUser nobody | ||
65 | |||
66 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
67 | #RhostsRSAAuthentication no | ||
68 | # similar for protocol version 2 | ||
69 | #HostbasedAuthentication no | ||
70 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
71 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
72 | #IgnoreUserKnownHosts no | ||
73 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
74 | #IgnoreRhosts yes | ||
75 | |||
76 | # To disable tunneled clear text passwords, change to no here! | ||
77 | PasswordAuthentication no | ||
78 | #PermitEmptyPasswords no | ||
79 | |||
80 | # Change to no to disable s/key passwords | ||
81 | #ChallengeResponseAuthentication yes | ||
82 | |||
83 | # Kerberos options | ||
84 | #KerberosAuthentication no | ||
85 | #KerberosOrLocalPasswd yes | ||
86 | #KerberosTicketCleanup yes | ||
87 | #KerberosGetAFSToken no | ||
88 | |||
89 | # GSSAPI options | ||
90 | #GSSAPIAuthentication no | ||
91 | #GSSAPICleanupCredentials yes | ||
92 | #GSSAPIStrictAcceptorCheck yes | ||
93 | #GSSAPIKeyExchange no | ||
94 | |||
95 | # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication | ||
96 | # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included | ||
97 | # in this release. The use of 'gssapi' is deprecated due to the presence of | ||
98 | # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. | ||
99 | #GSSAPIEnableMITMAttack no | ||
100 | |||
101 | |||
102 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
103 | # and session processing. If this is enabled, PAM authentication will | ||
104 | # be allowed through the ChallengeResponseAuthentication and | ||
105 | # PasswordAuthentication. Depending on your PAM configuration, | ||
106 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
107 | # the setting of "PermitRootLogin without-password". | ||
108 | # If you just want the PAM account and session checks to run without | ||
109 | # PAM authentication, then enable this but set PasswordAuthentication | ||
110 | # and ChallengeResponseAuthentication to 'no'. | ||
111 | UsePAM yes | ||
112 | |||
113 | #AllowAgentForwarding yes | ||
114 | #AllowTcpForwarding yes | ||
115 | #GatewayPorts no | ||
116 | X11Forwarding yes | ||
117 | #X11DisplayOffset 10 | ||
118 | #X11UseLocalhost yes | ||
119 | #PermitTTY yes | ||
120 | #PrintMotd yes | ||
121 | #PrintLastLog yes | ||
122 | #TCPKeepAlive yes | ||
123 | #UseLogin no | ||
124 | UsePrivilegeSeparation sandbox # Default for new installations. | ||
125 | #PermitUserEnvironment no | ||
126 | #Compression delayed | ||
127 | #ClientAliveInterval 0 | ||
128 | #ClientAliveCountMax 3 | ||
129 | #UseDNS yes | ||
130 | #PidFile /run/sshd.pid | ||
131 | #MaxStartups 10:30:100 | ||
132 | #PermitTunnel no | ||
133 | #ChrootDirectory none | ||
134 | #VersionAddendum none | ||
135 | |||
136 | # no default banner path | ||
137 | #Banner none | ||
138 | |||
139 | # override default of no subsystems | ||
140 | Subsystem sftp /usr/lib/ssh/sftp-server | ||
141 | |||
142 | # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). | ||
143 | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
144 | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
145 | AcceptEnv LC_IDENTIFICATION LC_ALL | ||
146 | |||
147 | # Example of overriding settings on a per-user basis | ||
148 | #Match User anoncvs | ||
149 | # X11Forwarding no | ||
150 | # AllowTcpForwarding no | ||
151 | # PermitTTY no | ||
152 | # ForceCommand cvs server | ||