64 -# HostKeys for protocol version 2 |
68 -# HostKeys for protocol version 2 |
65 -#HostKey /etc/ssh/ssh_host_rsa_key |
69 -#HostKey /etc/ssh/ssh_host_rsa_key |
66 -#HostKey /etc/ssh/ssh_host_dsa_key |
70 -#HostKey /etc/ssh/ssh_host_dsa_key |
67 -#HostKey /etc/ssh/ssh_host_ecdsa_key |
71 -#HostKey /etc/ssh/ssh_host_ecdsa_key |
68 -#HostKey /etc/ssh/ssh_host_ed25519_key |
72 -#HostKey /etc/ssh/ssh_host_ed25519_key |
|
73 - |
|
74 -# Lifetime and size of ephemeral version 1 server key |
|
75 -#KeyRegenerationInterval 1h |
|
76 -#ServerKeyBits 1024 |
|
77 - |
|
78 -# Ciphers and keying |
|
79 -#RekeyLimit default none |
|
80 - |
|
81 -# Logging |
|
82 -# obsoletes QuietMode and FascistLogging |
|
83 -#SyslogFacility AUTH |
|
84 -#LogLevel INFO |
69 +# X11 tunneling options |
85 +# X11 tunneling options |
70 +#X11DisplayOffset 10 |
86 +#X11DisplayOffset 10 |
71 +#X11UseLocalhost yes |
87 +#X11UseLocalhost yes |
72 +X11Forwarding yes |
88 +X11Forwarding yes |
73 |
89 |
74 -# Lifetime and size of ephemeral version 1 server key |
90 -# Authentication: |
75 -#KeyRegenerationInterval 1h |
|
76 -#ServerKeyBits 1024 |
|
77 +# The maximum number of concurrent unauthenticated connections to sshd. |
91 +# The maximum number of concurrent unauthenticated connections to sshd. |
78 +# start:rate:full see sshd(1) for more information. |
92 +# start:rate:full see sshd(1) for more information. |
79 +#MaxStartups 10:30:100 |
93 +#MaxStartups 10:30:100 |
80 |
|
81 -# Ciphers and keying |
|
82 -#RekeyLimit default none |
|
83 +# Banner to be printed before authentication starts. |
|
84 +Banner /etc/issue |
|
85 |
|
86 -# Logging |
|
87 -# obsoletes QuietMode and FascistLogging |
|
88 -#SyslogFacility AUTH |
|
89 -#LogLevel INFO |
|
90 +# Should sshd print the /etc/motd file and check for mail. |
|
91 +# On Solaris it is assumed that the login shell will do these (eg /etc/profile). |
|
92 +PrintMotd no |
|
93 |
|
94 -# Authentication: |
|
95 +# KeepAlive specifies whether keep alive messages are sent to the client. |
|
96 +# See sshd(1) for detailed description of what this means. |
|
97 +# Note that the client may also be sending keep alive messages to the server. |
|
98 +#KeepAlive yes |
|
99 |
94 |
100 -#LoginGraceTime 2m |
95 -#LoginGraceTime 2m |
101 -#PermitRootLogin prohibit-password |
96 -#PermitRootLogin prohibit-password |
102 -#StrictModes yes |
97 -#StrictModes yes |
103 -#MaxAuthTries 6 |
98 -#MaxAuthTries 6 |
104 -#MaxSessions 10 |
99 -#MaxSessions 10 |
|
100 +# Banner to be printed before authentication starts. |
|
101 +Banner /etc/issue |
|
102 |
|
103 -#RSAAuthentication yes |
|
104 -#PubkeyAuthentication yes |
|
105 +# Should sshd print the /etc/motd file and check for mail. |
|
106 +# On Solaris it is assumed that the login shell will do these (eg /etc/profile). |
|
107 +PrintMotd no |
|
108 + |
|
109 +# KeepAlive specifies whether keep alive messages are sent to the client. |
|
110 +# See sshd(1) for detailed description of what this means. |
|
111 +# Note that the client may also be sending keep alive messages to the server. |
|
112 +#KeepAlive yes |
|
113 + |
105 +# Syslog facility and level |
114 +# Syslog facility and level |
106 +#SyslogFacility auth |
115 +#SyslogFacility auth |
107 +#LogLevel info |
116 +#LogLevel info |
108 |
117 + |
109 -#RSAAuthentication yes |
|
110 -#PubkeyAuthentication yes |
|
111 +# |
118 +# |
112 +# Authentication configuration |
119 +# Authentication configuration |
113 +# |
120 +# |
114 |
121 + |
115 -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
|
116 -# but this is overridden so installations will only check .ssh/authorized_keys |
|
117 -AuthorizedKeysFile .ssh/authorized_keys |
|
118 +# Host private key files |
122 +# Host private key files |
119 +# Must be on a local disk and readable only by the root user (root:sys 600). |
123 +# Must be on a local disk and readable only by the root user (root:sys 600). |
120 +HostKey /etc/ssh/ssh_host_rsa_key |
124 +HostKey /etc/ssh/ssh_host_rsa_key |
121 +HostKey /etc/ssh/ssh_host_dsa_key |
125 +HostKey /etc/ssh/ssh_host_dsa_key |
122 |
126 + |
123 -#AuthorizedPrincipalsFile none |
|
124 +# sshd regenerates the key every KeyRegenerationInterval seconds. |
127 +# sshd regenerates the key every KeyRegenerationInterval seconds. |
125 +# The key is never stored anywhere except the memory of sshd. |
128 +# The key is never stored anywhere except the memory of sshd. |
126 +# The default is 1 hour (3600 seconds). |
129 +# The default is 1 hour (3600 seconds). |
127 +#KeyRegenerationInterval 3600 |
130 +#KeyRegenerationInterval 3600 |
128 |
131 |
|
132 -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
|
133 -# but this is overridden so installations will only check .ssh/authorized_keys |
|
134 -AuthorizedKeysFile .ssh/authorized_keys |
|
135 - |
|
136 -#AuthorizedPrincipalsFile none |
|
137 - |
129 -#AuthorizedKeysCommand none |
138 -#AuthorizedKeysCommand none |
130 -#AuthorizedKeysCommandUser nobody |
139 -#AuthorizedKeysCommandUser nobody |
131 +# Ensure secure permissions on users .ssh directory. |
140 - |
132 +#StrictModes yes |
|
133 |
|
134 -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
141 -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
135 -#RhostsRSAAuthentication no |
142 -#RhostsRSAAuthentication no |
136 -# similar for protocol version 2 |
143 -# similar for protocol version 2 |
137 -#HostbasedAuthentication no |
144 -#HostbasedAuthentication no |
138 -# Change to yes if you don't trust ~/.ssh/known_hosts for |
145 -# Change to yes if you don't trust ~/.ssh/known_hosts for |
139 -# RhostsRSAAuthentication and HostbasedAuthentication |
146 -# RhostsRSAAuthentication and HostbasedAuthentication |
140 -#IgnoreUserKnownHosts no |
147 -#IgnoreUserKnownHosts no |
141 -# Don't read the user's ~/.rhosts and ~/.shosts files |
148 -# Don't read the user's ~/.rhosts and ~/.shosts files |
142 -#IgnoreRhosts yes |
149 -#IgnoreRhosts yes |
|
150 +# Ensure secure permissions on users .ssh directory. |
|
151 +#StrictModes yes |
|
152 |
|
153 -# To disable tunneled clear text passwords, change to no here! |
|
154 -#PasswordAuthentication yes |
143 +# Length of time in seconds before a client that hasn't completed |
155 +# Length of time in seconds before a client that hasn't completed |
144 +# authentication is disconnected. |
156 +# authentication is disconnected. |
145 +# Default is 120 seconds. 0 means no time limit. |
157 +# Default is 120 seconds. 0 means no time limit. |
146 +#LoginGraceTime 120 |
158 +#LoginGraceTime 120 |
147 |
159 + |
148 -# To disable tunneled clear text passwords, change to no here! |
|
149 -#PasswordAuthentication yes |
|
150 +# Maximum number of retries for authentication |
160 +# Maximum number of retries for authentication |
151 +# Default is 6. |
161 +# Default is 6. |
152 +#MaxAuthTries 6 |
162 +#MaxAuthTries 6 |
153 + |
163 + |
154 +# Are logins to accounts with empty passwords allowed. |
164 +# Are logins to accounts with empty passwords allowed. |
156 +# to pam_authenticate(3PAM). |
166 +# to pam_authenticate(3PAM). |
157 #PermitEmptyPasswords no |
167 #PermitEmptyPasswords no |
158 |
168 |
159 -# Change to no to disable s/key passwords |
169 -# Change to no to disable s/key passwords |
160 -#ChallengeResponseAuthentication yes |
170 -#ChallengeResponseAuthentication yes |
161 +# To disable tunneled clear text passwords, change PasswordAuthentication to no. |
171 - |
162 +#PasswordAuthentication yes |
|
163 |
|
164 -# Kerberos options |
172 -# Kerberos options |
165 -#KerberosAuthentication no |
173 -#KerberosAuthentication no |
166 -#KerberosOrLocalPasswd yes |
174 -#KerberosOrLocalPasswd yes |
167 -#KerberosTicketCleanup yes |
175 -#KerberosTicketCleanup yes |
168 -#KerberosGetAFSToken no |
176 -#KerberosGetAFSToken no |
169 +# Are root logins permitted using sshd. |
177 - |
170 +# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user |
|
171 +# maybe denied access by a PAM module regardless of this setting. |
|
172 +# Valid options are yes, without-password, no. |
|
173 +PermitRootLogin no |
|
174 |
|
175 -# GSSAPI options |
178 -# GSSAPI options |
176 -#GSSAPIAuthentication no |
179 -#GSSAPIAuthentication no |
177 -#GSSAPICleanupCredentials yes |
180 -#GSSAPICleanupCredentials yes |
178 +# sftp subsystem |
181 - |
179 +Subsystem sftp internal-sftp |
|
180 |
|
181 -# Set this to 'yes' to enable PAM authentication, account processing, |
182 -# Set this to 'yes' to enable PAM authentication, account processing, |
182 -# and session processing. If this is enabled, PAM authentication will |
183 -# and session processing. If this is enabled, PAM authentication will |
183 -# be allowed through the ChallengeResponseAuthentication and |
184 -# be allowed through the ChallengeResponseAuthentication and |
184 -# PasswordAuthentication. Depending on your PAM configuration, |
185 -# PasswordAuthentication. Depending on your PAM configuration, |
185 -# PAM authentication via ChallengeResponseAuthentication may bypass |
186 -# PAM authentication via ChallengeResponseAuthentication may bypass |
186 -# the setting of "PermitRootLogin without-password". |
187 -# the setting of "PermitRootLogin without-password". |
187 -# If you just want the PAM account and session checks to run without |
188 -# If you just want the PAM account and session checks to run without |
188 -# PAM authentication, then enable this but set PasswordAuthentication |
189 -# PAM authentication, then enable this but set PasswordAuthentication |
189 -# and ChallengeResponseAuthentication to 'no'. |
190 -# and ChallengeResponseAuthentication to 'no'. |
190 -#UsePAM no |
191 -#UsePAM no |
191 +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. |
192 +# To disable tunneled clear text passwords, change PasswordAuthentication to no. |
192 +#IgnoreUserKnownHosts yes |
193 +#PasswordAuthentication yes |
193 |
194 |
194 -#AllowAgentForwarding yes |
195 -#AllowAgentForwarding yes |
195 -#AllowTcpForwarding yes |
196 -#AllowTcpForwarding yes |
196 -#GatewayPorts no |
197 -#GatewayPorts no |
197 -#X11Forwarding no |
198 -#X11Forwarding no |