# Package generated configuration file # See the sshd_config(5) manpage for details #----------------------------- # Daemon #----------------------------- # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 #ListenAddress 176.9.117.77 # Specifies the protocol versions sshd(8) supports. # The possible values are ‘1’ , `2' and ‘1,2’. # The default is ‘2’. Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key # # Note: # Deprecated option KeyRegenerationInterval # Deprecated option ServerKeyBits #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Specifies the maximum number of concurrent unauthenticated connections # to the SSH daemon. See sshd_config(5) for specifiing the three colon # separated values. # The default is 10. #MaxStartups 10:30:100 #MaxStartups 3 MaxStartups 10:30:100 # Specifies the maximum number of authentication attempts permitted per # connection. # The default is 6. MaxAuthTries 3 # Specifies the maximum number of open sessions permitted per network # connection. # The default is 10. MaxSessions 10 #----------------------------- # Authentication #----------------------------- # Specifies whether sshd(8) separates privileges by creating an unprivileged # child process to deal with incoming network traffic. # The default is "yes" (for security). UsePrivilegeSeparation yes # The server disconnects after this time if the user has not # successfully logged in. # The default is 120 seconds. LoginGraceTime 120 # Specifies whether root can log in using ssh(1). # The default is "yes". #PermitRootLogin yes #PermitRootLogin without-password PermitRootLogin no # Specifies whether sshd(8) should check file modes and ownership of the # user's files and home directory before accepting login. This is normally # desirable because novices sometimes accidentally leave their directory or # files world-writable. Note that this does not apply to ChrootDirectory, # whose permissions and ownership are checked unconditionally. # The default is “yes”. StrictModes yes # Specifies whether pure RSA authentication is allowed. This option # applies to protocol version 1 only. # The default is “yes”. # # Note: # Deprecated option RSAAuthentication # #RSAAuthentication yes # Specifies whether public key authentication is allowed. Note that this # option applies to protocol version 2 only. # The default is “yes”. PubkeyAuthentication yes # Specifies the file that contains the public keys that can be used for # user authentication. The format is described in the AUTHORIZED_KEYS FILE # FORMAT section of sshd(8). # AuthorizedKeysFile may contain tokens of the form %T which are substituted # during connection setup. The following tokens are defined: %% is replaced # by a literal '%', %h is replaced by the home directory of the user being # authenticated, and %u is replaced by the username of that user. After # expansion, AuthorizedKeysFile is taken to be an absolute path or one relative # to the user's home directory. Multiple files may be listed, separated by # whitespace. # The default is “.ssh/authorized_keys .ssh/authorized_keys2”. #AuthorizedKeysFile %h/.ssh/authorized_keys # Specifies whether password authentication is allowed. # Change to no to disable tunnelled clear text passwords # The default is "yes". #PasswordAuthentication yes PasswordAuthentication no # When password authentication is allowed, it specifies whether the # server allows login to accounts with empty password strings. # The default is “no”. PermitEmptyPasswords no # Specifies whether challenge-response authentication is allowed (e.g. via PAM). # The default is “yes”. ChallengeResponseAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts # # Note: # Deprecated option RhostsRSAAuthentication # #RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts # during RhostsRSAAuthentication or HostbasedAuthentication. # The default is “no”. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # If specified, login is allowed only for user names that match one of # the patterns. # The allow/deny directives are processed in the following order: DenyUsers, # AllowUsers, DenyGroups, and finally AllowGroups. # By default, login is allowed for all users. #AllowUsers chris cityslang sysadm # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # Specifies whether login(1) is used for interactive login sessions. # Note that login(1) is never used for remote command execution. # Note also, that if this is enabled, X11Forwarding will be disabled # because login(1) does not know how to handle xauth(1) cookies. If # UsePrivilegeSeparation is specified, it will be disabled after # authentication. # The default is “no”. #UseLogin no #----------------------------- # Logging #----------------------------- # Gives the facility code that is used when logging messages from sshd(8). # The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, # LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. # The default is AUTH. SyslogFacility AUTH # Gives the verbosity level that is used when logging messages from # sshd(8). # The default is INFO. LogLevel INFO #----------------------------- # Behavior #----------------------------- # Specifies whether the distribution-specified extra version suffix is included # during initial protocol handshake. # The default is "yes". DebianBanner no # The contents of the specified file are sent to the remote user before # authentication is allowed. # By default, no banner is displayed. #Banner /etc/issue.net # Specifies whether sshd(8) should print /etc/motd when a user logs in # interactively. (On some systems it is also printed by the shell, # /etc/profile, or equivalent.) # The default is “yes”. PrintMotd no # Specifies what environment variables sent by the client will be copied # into the session's environ(7). # The default is not to accept any environment variables. AcceptEnv LANG LC_* # Configures an external subsystem (e.g. file transfer daemon). # By default no subsystems are defined. Subsystem sftp /usr/lib/openssh/sftp-server # Specifies whether sshd(8) should look up the remote host name and check # that the resolved host name for the remote IP address maps back to the # very same IP address. # The default is “yes”. UseDNS no # Specifies whether X11 forwarding is permitted. The argument must be # “yes” or “no”. See sshd_config(5) for further expalnation # The default is “no”. #X11Forwarding yes # Specifies the first display number available for sshd(8)'s X11 # forwarding. This prevents sshd from interfering with real X11 servers. # The default is 10. X11DisplayOffset 10 # Specifies whether the system should send TCP keepalive messages to the # other side. If they are sent, death of the connection or crash of one # of the machines will be properly noticed. However, this means # that connections will die if the route is down temporarily, and some # people find it annoying. On the other hand, if TCP keepalives are not # sent, sessions may hang indefinitely on the server, leaving “ghost” users # and consuming server resources. # # The default is “yes” (to send TCP keepalive messages), and the server # will notice if the network goes down or the client host crashes. This # avoids infinitely hanging sessions. TCPKeepAlive yes #Specifies whether sshd(8) should print the date and time of the last # user login when a user logs in interactively. # The default is “yes”. PrintLastLog yes #----------------------------- # Kerberos options #----------------------------- #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #----------------------------- # GSSAPI options #----------------------------- #GSSAPIAuthentication no #GSSAPICleanupCredentials yes