############################################################ # /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # # sshd compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/OBSDssh/bin # # Changes: # Sean Boran 27.Sep.01: improve readability, tuning. # 13.Mar.01/sb: Defaults set for v3.1p1, use protocol 2. ############################################################ # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 PidFile /var/run/sshd.pid ## Try to use v2 protocol, otherwise fall back to v1 ## - for a pure v2 environment, set Protocol=2 #Protocol 2,1 Protocol 2 ## Multiple interfaces? #ListenAddress 0.0.0.0 #ListenAddress :: ## Private keys that identify this host ## v1: HostKey /etc/ssh/ssh_host_key ## v2: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 KeepAlive yes #MaxStartups 10:30:60 #ReverseMappingCheck yes #VerifyReverseMapping no X11Forwarding yes X11DisplayOffset 10 #XAuthLocation # Check permissions of important files/dirs: StrictModes yes # Logging SyslogFacility AUTH LogLevel INFO #LogLevel VERBOSE #QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. ## Login banners # Avoid double banner: PrintMotd no CheckMail no #CheckMail yes #PrintLastLog no #Banner /etc/issue.net ########## Authentication & Trusts ######## ########## Trust ######## # .rhosts, .shosts ignored? # /etc/hosts.equiv and /etc/shosts.equiv are still used IgnoreRhosts no #IgnoreRootRhosts # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication IgnoreUserKnownHosts yes ### Authentication ##### #UseLogin no # Allow 3 minutes for login: LoginGraceTime 180 # Allow login with UNIX password? # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes # Specifies whether root can login using ssh # yes, no, without-password (rsa or hostbased Auth only) # , forced-commands-only (rsa/dsa only with command option) #PermitRootLogin without-password PermitRootLogin yes # authentication using rhosts or /etc/hosts.equiv # rhosts authentication should not be used RhostsAuthentication no # authentication using rhosts + RSA host auth # The host must be known (ssh_known_hosts) and be in .[sr]hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication yes # v2: Should server use a lookup or name provided in connection? #HostbasedUsesNameFromPacketOnly yes # Allow login with pure RSA public/private keys? # (will circumvent UNIX login) # Disable this is you only use passwords to login in # v1: RSAAuthentication no # similar for v2 PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys ## Kerberos authentication # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing yes # AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing no # Change to no to disable s/key passwords #ChallengeResponseAuthentication no #AccountExpireWarningDays #PasswordExpireWarningDays #ForcedEmptyPasswdChange no #ForcedPasswdChange yes # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes ## FTP server subsystem Subsystem sftp /opt/OBSDssh/libexec/sftp-server ######## Access control ####### # This SSH has been compiled with tcpwrappers see /etc/hosts.allow # and /etc/hosts.deny for the equivalent of AllowHosts/ DenyHosts. # Restrict user groups #AllowGroups #DenyGroups # Restrict users #AllowUsers #AllowUsers root #DenyUsers jim bill@host1 DenyUsers daemon bin sys lp uucp nuucp listen nobody noaccess nobody4 webproxy dns named # Specifies whether remote hosts are allowed to connect to ports # forwarded for the client. By default, sshd binds remote port # forwardings to the loopback addresss. This prevents other remote # hosts from connecting to forwarded ports. #GatewayPorts no ## Only allow portforwarding if you realy need it: #AllowTcpForwarding no AllowTcpForwarding yes