270 lines
8.7 KiB
Plaintext
270 lines
8.7 KiB
Plaintext
# Package generated configuration file
|
||
# See the sshd_config(5) manpage for details
|
||
|
||
#-----------------------------
|
||
# Daemon
|
||
#-----------------------------
|
||
|
||
# What ports, IPs and protocols we listen for
|
||
Port 22
|
||
|
||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||
#ListenAddress ::
|
||
#ListenAddress 0.0.0.0
|
||
#ListenAddress 176.9.117.77
|
||
|
||
# Specifies the protocol versions sshd(8) supports.
|
||
# The possible values are ‘1’ , `2' and ‘1,2’.
|
||
# The default is ‘2’.
|
||
Protocol 2
|
||
|
||
# HostKeys for protocol version 2
|
||
HostKey /etc/ssh/ssh_host_rsa_key
|
||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||
|
||
# Lifetime and size of ephemeral version 1 server key
|
||
#
|
||
# Note:
|
||
# Deprecated option KeyRegenerationInterval
|
||
# Deprecated option ServerKeyBits
|
||
#
|
||
#KeyRegenerationInterval 3600
|
||
#ServerKeyBits 768
|
||
|
||
# Specifies the maximum number of concurrent unauthenticated connections
|
||
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
|
||
# separated values.
|
||
# The default is 10.
|
||
#MaxStartups 10:30:100
|
||
#MaxStartups 3
|
||
MaxStartups 10:30:100
|
||
|
||
# Specifies the maximum number of authentication attempts permitted per
|
||
# connection.
|
||
# The default is 6.
|
||
MaxAuthTries 3
|
||
|
||
# Specifies the maximum number of open sessions permitted per network
|
||
# connection.
|
||
# The default is 10.
|
||
MaxSessions 10
|
||
|
||
|
||
#-----------------------------
|
||
# Authentication
|
||
#-----------------------------
|
||
|
||
# Specifies whether sshd(8) separates privileges by creating an unprivileged
|
||
# child process to deal with incoming network traffic.
|
||
# The default is "yes" (for security).
|
||
UsePrivilegeSeparation yes
|
||
|
||
# The server disconnects after this time if the user has not
|
||
# successfully logged in.
|
||
# The default is 120 seconds.
|
||
LoginGraceTime 120
|
||
|
||
# Specifies whether root can log in using ssh(1).
|
||
# The default is "yes".
|
||
#PermitRootLogin yes
|
||
PermitRootLogin without-password
|
||
#PermitRootLogin no
|
||
|
||
# Specifies whether sshd(8) should check file modes and ownership of the
|
||
# user's files and home directory before accepting login. This is normally
|
||
# desirable because novices sometimes accidentally leave their directory or
|
||
# files world-writable. Note that this does not apply to ChrootDirectory,
|
||
# whose permissions and ownership are checked unconditionally.
|
||
# The default is “yes”.
|
||
StrictModes yes
|
||
|
||
# Specifies whether pure RSA authentication is allowed. This option
|
||
# applies to protocol version 1 only.
|
||
# The default is “yes”.
|
||
#
|
||
# Note:
|
||
# Deprecated option RSAAuthentication
|
||
#
|
||
#RSAAuthentication yes
|
||
|
||
# Specifies whether public key authentication is allowed. Note that this
|
||
# option applies to protocol version 2 only.
|
||
# The default is “yes”.
|
||
PubkeyAuthentication yes
|
||
|
||
# Specifies the file that contains the public keys that can be used for
|
||
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
|
||
# FORMAT section of sshd(8).
|
||
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
|
||
# during connection setup. The following tokens are defined: %% is replaced
|
||
# by a literal '%', %h is replaced by the home directory of the user being
|
||
# authenticated, and %u is replaced by the username of that user. After
|
||
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
|
||
# to the user's home directory. Multiple files may be listed, separated by
|
||
# whitespace.
|
||
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
|
||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||
|
||
# Specifies whether password authentication is allowed.
|
||
# Change to no to disable tunnelled clear text passwords
|
||
# The default is "yes".
|
||
#PasswordAuthentication yes
|
||
PasswordAuthentication no
|
||
|
||
# When password authentication is allowed, it specifies whether the
|
||
# server allows login to accounts with empty password strings.
|
||
# The default is “no”.
|
||
PermitEmptyPasswords no
|
||
|
||
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
|
||
# The default is “yes”.
|
||
ChallengeResponseAuthentication no
|
||
|
||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||
IgnoreRhosts yes
|
||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||
#
|
||
# Note:
|
||
# Deprecated option RhostsRSAAuthentication
|
||
#
|
||
#RhostsRSAAuthentication no
|
||
|
||
# similar for protocol version 2
|
||
HostbasedAuthentication no
|
||
|
||
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
|
||
# during RhostsRSAAuthentication or HostbasedAuthentication.
|
||
# The default is “no”.
|
||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||
#IgnoreUserKnownHosts yes
|
||
|
||
# If specified, login is allowed only for user names that match one of
|
||
# the patterns.
|
||
# The allow/deny directives are processed in the following order: DenyUsers,
|
||
# AllowUsers, DenyGroups, and finally AllowGroups.
|
||
# By default, login is allowed for all users.
|
||
#AllowUsers chris cityslang sysadm
|
||
|
||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||
# and session processing. If this is enabled, PAM authentication will
|
||
# be allowed through the ChallengeResponseAuthentication and
|
||
# PasswordAuthentication. Depending on your PAM configuration,
|
||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||
# the setting of "PermitRootLogin without-password".
|
||
# If you just want the PAM account and session checks to run without
|
||
# PAM authentication, then enable this but set PasswordAuthentication
|
||
# and ChallengeResponseAuthentication to 'no'.
|
||
UsePAM yes
|
||
|
||
# Specifies whether login(1) is used for interactive login sessions.
|
||
# Note that login(1) is never used for remote command execution.
|
||
# Note also, that if this is enabled, X11Forwarding will be disabled
|
||
# because login(1) does not know how to handle xauth(1) cookies. If
|
||
# UsePrivilegeSeparation is specified, it will be disabled after
|
||
# authentication.
|
||
# The default is “no”.
|
||
#UseLogin no
|
||
|
||
|
||
#-----------------------------
|
||
# Logging
|
||
#-----------------------------
|
||
|
||
# Gives the facility code that is used when logging messages from sshd(8).
|
||
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||
# The default is AUTH.
|
||
SyslogFacility AUTH
|
||
|
||
# Gives the verbosity level that is used when logging messages from
|
||
# sshd(8).
|
||
# The default is INFO.
|
||
LogLevel INFO
|
||
|
||
|
||
#-----------------------------
|
||
# Behavior
|
||
#-----------------------------
|
||
|
||
# Specifies whether the distribution-specified extra version suffix is included
|
||
# during initial protocol handshake.
|
||
# The default is "yes".
|
||
DebianBanner no
|
||
|
||
# The contents of the specified file are sent to the remote user before
|
||
# authentication is allowed.
|
||
# By default, no banner is displayed.
|
||
#Banner /etc/issue.net
|
||
|
||
# Specifies whether sshd(8) should print /etc/motd when a user logs in
|
||
# interactively. (On some systems it is also printed by the shell,
|
||
# /etc/profile, or equivalent.)
|
||
# The default is “yes”.
|
||
PrintMotd no
|
||
|
||
# Specifies what environment variables sent by the client will be copied
|
||
# into the session's environ(7).
|
||
# The default is not to accept any environment variables.
|
||
AcceptEnv LANG LC_*
|
||
|
||
# Configures an external subsystem (e.g. file transfer daemon).
|
||
# By default no subsystems are defined.
|
||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||
|
||
# Specifies whether sshd(8) should look up the remote host name and check
|
||
# that the resolved host name for the remote IP address maps back to the
|
||
# very same IP address.
|
||
# The default is “yes”.
|
||
UseDNS no
|
||
|
||
# Specifies whether X11 forwarding is permitted. The argument must be
|
||
# “yes” or “no”. See sshd_config(5) for further expalnation
|
||
# The default is “no”.
|
||
#X11Forwarding yes
|
||
|
||
# Specifies the first display number available for sshd(8)'s X11
|
||
# forwarding. This prevents sshd from interfering with real X11 servers.
|
||
# The default is 10.
|
||
X11DisplayOffset 10
|
||
|
||
# Specifies whether the system should send TCP keepalive messages to the
|
||
# other side. If they are sent, death of the connection or crash of one
|
||
# of the machines will be properly noticed. However, this means
|
||
# that connections will die if the route is down temporarily, and some
|
||
# people find it annoying. On the other hand, if TCP keepalives are not
|
||
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
|
||
# and consuming server resources.
|
||
#
|
||
# The default is “yes” (to send TCP keepalive messages), and the server
|
||
# will notice if the network goes down or the client host crashes. This
|
||
# avoids infinitely hanging sessions.
|
||
TCPKeepAlive yes
|
||
|
||
#Specifies whether sshd(8) should print the date and time of the last
|
||
# user login when a user logs in interactively.
|
||
# The default is “yes”.
|
||
PrintLastLog yes
|
||
|
||
|
||
#-----------------------------
|
||
# Kerberos options
|
||
#-----------------------------
|
||
#KerberosAuthentication no
|
||
#KerberosGetAFSToken no
|
||
#KerberosOrLocalPasswd yes
|
||
#KerberosTicketCleanup yes
|
||
|
||
|
||
#-----------------------------
|
||
# GSSAPI options
|
||
#-----------------------------
|
||
|
||
#GSSAPIAuthentication no
|
||
#GSSAPICleanupCredentials yes
|
||
|
||
|
||
|
||
|
||
|