Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # diff /tmp/sshd_config.bak /etc/ssh/sshd_config
- 1,2c1,2
- < # Package generated configuration file
- < # See the sshd_config(5) manpage for details
- ---
- > # This file is being maintained by Puppet.
- > # DO NOT EDIT
- 4c4,16
- < # What ports, IPs and protocols we listen for
- ---
- > # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
- >
- > # This is the sshd server system-wide configuration file. See
- > # sshd_config(5) for more information.
- >
- > # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
- >
- > # The strategy used for options in the default sshd_config shipped with
- > # OpenSSH is to specify options with their default value where
- > # possible, but leave them commented. Uncommented options change a
- > # default value.
- >
- > #Port 22
- 6,8c18
- < # Use these options to restrict which interfaces/protocols sshd will bind to
- < #ListenAddress ::
- < #ListenAddress 0.0.0.0
- ---
- > #Protocol 2,1
- 9a20,24
- > #AddressFamily any
- > AddressFamily any
- >
- > # HostKey for protocol version 1
- > #HostKey /etc/ssh/ssh_host_key
- 10a26,27
- > #HostKey /etc/ssh/ssh_host_rsa_key
- > #HostKey /etc/ssh/ssh_host_dsa_key
- 15,16d31
- < #Privilege Separation is turned on for security
- < UsePrivilegeSeparation yes
- 19c34,35
- < KeyRegenerationInterval 3600
- ---
- > #KeyRegenerationInterval 1h
- > #ServerKeyBits 1024
- 21d36
- <
- 22a38,39
- > # obsoletes QuietMode and FascistLogging
- > #SyslogFacility AUTH
- 23a41
- > #LogLevel INFO
- 26a45,46
- >
- > #LoginGraceTime 120
- 28c48,50
- < PermitRootLogin prohibit-password
- ---
- > #PermitRootLogin yes
- > PermitRootLogin no
- > #StrictModes yes
- 29a52
- > #MaxAuthTries 6
- 31c54,55
- < RSAAuthentication yes
- ---
- > #RSAAuthentication yes
- > #PubkeyAuthentication yes
- 33c57
- < #AuthorizedKeysFile %h/.ssh/authorized_keys
- ---
- > #AuthorizedKeysFile .ssh/authorized_keys
- 35,38c59,60
- < # Don't read the user's ~/.rhosts and ~/.shosts files
- < IgnoreRhosts yes
- < # For this to work you will also need host keys in /etc/ssh_known_hosts
- < RhostsRSAAuthentication no
- ---
- > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- > #RhostsRSAAuthentication no
- 39a62
- > #HostbasedAuthentication no
- 41,49c64,70
- < # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
- < #IgnoreUserKnownHosts yes
- <
- < # To enable empty passwords, change to yes (NOT RECOMMENDED)
- < PermitEmptyPasswords no
- <
- < # Change to yes to enable challenge-response passwords (beware issues with
- < # some PAM modules and threads)
- < ChallengeResponseAuthentication no
- ---
- > # Change to yes if you don't trust ~/.ssh/known_hosts for
- > # RhostsRSAAuthentication and HostbasedAuthentication
- > #IgnoreUserKnownHosts no
- > IgnoreUserKnownHosts no
- > # Don't read the user's ~/.rhosts and ~/.shosts files
- > #IgnoreRhosts yes
- > IgnoreRhosts yes
- 51,52c72,79
- < # Change to no to disable tunnelled clear text passwords
- < PasswordAuthentication no
- ---
- > # To disable tunneled clear text passwords, change to no here!
- > #PasswordAuthentication yes
- > PasswordAuthentication yes
- > #PermitEmptyPasswords no
- >
- > # Change to no to disable s/key passwords
- > #ChallengeResponseAuthentication yes
- > ChallengeResponseAuthentication yes
- 55,56d81
- < #KerberosAuthentication no
- < #KerberosGetAFSToken no
- 58a84
- > #KerberosGetAFSToken no
- 61a88
- > GSSAPIAuthentication yes
- 62a90,101
- > GSSAPICleanupCredentials yes
- >
- > # Set this to 'yes' to enable PAM authentication, account processing,
- > # and session processing. If this is enabled, PAM authentication will
- > # be allowed through the ChallengeResponseAuthentication mechanism.
- > # Depending on your PAM configuration, this may bypass the setting of
- > # PasswordAuthentication, PermitEmptyPasswords, and
- > # "PermitRootLogin without-password". If you just want the PAM account and
- > # session checks to run without PAM authentication, then enable this but set
- > # ChallengeResponseAuthentication=no
- > #UsePAM no
- > UsePAM yes
- 63a103,110
- > # Accept locale-related environment variables
- > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- > AcceptEnv LC_IDENTIFICATION LC_ALL
- > #AllowTcpForwarding yes
- > AllowTcpForwarding yes
- > #GatewayPorts no
- > #X11Forwarding no
- 65,67c112,117
- < X11DisplayOffset 10
- < PrintMotd no
- < PrintLastLog yes
- ---
- > #X11DisplayOffset 10
- > #X11UseLocalhost yes
- > #PrintMotd yes
- > PrintMotd yes
- > #PrintLastLog yes
- > #TCPKeepAlive yes
- 69a120,138
- > #UsePrivilegeSeparation yes
- > #PermitUserEnvironment no
- > #Compression delayed
- > #ClientAliveInterval 0
- > ClientAliveInterval 0
- > ClientAliveCountMax 3
- > #ShowPatchLevel no
- > #UseDNS yes
- > UseDNS yes
- > #PidFile /var/run/sshd.pid
- > #MaxStartups 10:30:100
- > #MaxSessions 10
- >
- > #PermitTunnel no
- > #ChrootDirectory none
- >
- > # no default banner path
- > #Banner none
- > Banner none
- 71,76c140
- < #MaxStartups 10:30:60
- < #Banner /etc/issue.net
- <
- < # Allow client to pass locale environment variables
- < AcceptEnv LANG LC_*
- <
- ---
- > # override default of no subsystems
- 79,88d142
- < # Set this to 'yes' to enable PAM authentication, account processing,
- < # and session processing. If this is enabled, PAM authentication will
- < # be allowed through the ChallengeResponseAuthentication and
- < # PasswordAuthentication. Depending on your PAM configuration,
- < # PAM authentication via ChallengeResponseAuthentication may bypass
- < # the setting of "PermitRootLogin without-password".
- < # If you just want the PAM account and session checks to run without
- < # PAM authentication, then enable this but set PasswordAuthentication
- < # and ChallengeResponseAuthentication to 'no'.
- < UsePAM yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement