aboutsummaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config152
1 files changed, 152 insertions, 0 deletions
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..a67aa8a
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,152 @@
1# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
2
3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented. Uncommented options override the
11# default value.
12
13#Port 22
14#AddressFamily any
15#ListenAddress 0.0.0.0
16#ListenAddress ::
17
18# The default requires explicit activation of protocol 1
19#Protocol 2
20
21# HostKey for protocol version 1
22#HostKey /etc/ssh/ssh_host_key
23# HostKeys for protocol version 2
24#HostKey /etc/ssh/ssh_host_rsa_key
25#HostKey /etc/ssh/ssh_host_dsa_key
26#HostKey /etc/ssh/ssh_host_ecdsa_key
27#HostKey /etc/ssh/ssh_host_ed25519_key
28
29# Minimum accepted size of the DH parameter p. By default this is set to 1024
30# to maintain compatibility with RFC4419, but should be set higher.
31# Upstream default is identical to setting this to 2048.
32#KexDHMin 1024
33
34# Lifetime and size of ephemeral version 1 server key
35#KeyRegenerationInterval 1h
36#ServerKeyBits 1024
37
38# Ciphers and keying
39#RekeyLimit default none
40
41# Logging
42# obsoletes QuietMode and FascistLogging
43#SyslogFacility AUTH
44#LogLevel INFO
45
46# Authentication:
47
48#LoginGraceTime 2m
49#PermitRootLogin yes
50#StrictModes yes
51#MaxAuthTries 6
52#MaxSessions 10
53
54#RSAAuthentication yes
55#PubkeyAuthentication yes
56
57# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
58# but this is overridden so installations will only check .ssh/authorized_keys
59AuthorizedKeysFile .ssh/authorized_keys
60
61#AuthorizedPrincipalsFile none
62
63#AuthorizedKeysCommand none
64#AuthorizedKeysCommandUser nobody
65
66# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
67#RhostsRSAAuthentication no
68# similar for protocol version 2
69#HostbasedAuthentication no
70# Change to yes if you don't trust ~/.ssh/known_hosts for
71# RhostsRSAAuthentication and HostbasedAuthentication
72#IgnoreUserKnownHosts no
73# Don't read the user's ~/.rhosts and ~/.shosts files
74#IgnoreRhosts yes
75
76# To disable tunneled clear text passwords, change to no here!
77PasswordAuthentication no
78#PermitEmptyPasswords no
79
80# Change to no to disable s/key passwords
81#ChallengeResponseAuthentication yes
82
83# Kerberos options
84#KerberosAuthentication no
85#KerberosOrLocalPasswd yes
86#KerberosTicketCleanup yes
87#KerberosGetAFSToken no
88
89# GSSAPI options
90#GSSAPIAuthentication no
91#GSSAPICleanupCredentials yes
92#GSSAPIStrictAcceptorCheck yes
93#GSSAPIKeyExchange no
94
95# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
96# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
97# in this release. The use of 'gssapi' is deprecated due to the presence of
98# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
99#GSSAPIEnableMITMAttack no
100
101
102# Set this to 'yes' to enable PAM authentication, account processing,
103# and session processing. If this is enabled, PAM authentication will
104# be allowed through the ChallengeResponseAuthentication and
105# PasswordAuthentication. Depending on your PAM configuration,
106# PAM authentication via ChallengeResponseAuthentication may bypass
107# the setting of "PermitRootLogin without-password".
108# If you just want the PAM account and session checks to run without
109# PAM authentication, then enable this but set PasswordAuthentication
110# and ChallengeResponseAuthentication to 'no'.
111UsePAM yes
112
113#AllowAgentForwarding yes
114#AllowTcpForwarding yes
115#GatewayPorts no
116X11Forwarding yes
117#X11DisplayOffset 10
118#X11UseLocalhost yes
119#PermitTTY yes
120#PrintMotd yes
121#PrintLastLog yes
122#TCPKeepAlive yes
123#UseLogin no
124UsePrivilegeSeparation sandbox # Default for new installations.
125#PermitUserEnvironment no
126#Compression delayed
127#ClientAliveInterval 0
128#ClientAliveCountMax 3
129#UseDNS yes
130#PidFile /run/sshd.pid
131#MaxStartups 10:30:100
132#PermitTunnel no
133#ChrootDirectory none
134#VersionAddendum none
135
136# no default banner path
137#Banner none
138
139# override default of no subsystems
140Subsystem sftp /usr/lib/ssh/sftp-server
141
142# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
143AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
144AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
145AcceptEnv LC_IDENTIFICATION LC_ALL
146
147# Example of overriding settings on a per-user basis
148#Match User anoncvs
149# X11Forwarding no
150# AllowTcpForwarding no
151# PermitTTY no
152# ForceCommand cvs server