sshd_config

1. # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
2.  
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
5.  
6. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
7.  
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options override the
11. # default value.
12.  
13. # If you want to change the port on a SELinux system, you have to tell
14. # SELinux about this change.
15. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
16.  
17. # Ich habe den Port 22 zu 99 Geändert, zur sicherheit
18. Port 99
19.  
20. #AddressFamily any
21. #ListenAddress 0.0.0.0
22. #ListenAddress ::
23.  
24. # The default requires explicit activation of protocol 1
25. #Protocol 2
26.  
27. # HostKey for protocol version 1
28. #HostKey /etc/ssh/ssh_host_key
29. # HostKeys for protocol version 2
30. HostKey /etc/ssh/ssh_host_rsa_key
31. #HostKey /etc/ssh/ssh_host_dsa_key
32. HostKey /etc/ssh/ssh_host_ecdsa_key
33. HostKey /etc/ssh/ssh_host_ed25519_key
34.  
35. # Lifetime and size of ephemeral version 1 server key
36. #KeyRegenerationInterval 1h
37. #ServerKeyBits 1024
38.  
39. # Ciphers and keying
40. #RekeyLimit default none
41.  
42. # Logging
43. # obsoletes QuietMode and FascistLogging
44. #SyslogFacility AUTH
45. SyslogFacility AUTHPRIV
46. #LogLevel INFO
47.  
48. # Authentication:
49.  
50. #LoginGraceTime 2m
51. #PermitRootLogin yes
52. #StrictModes yes
53. #MaxAuthTries 6
54. #MaxSessions 10
55.  
56. #RSAAuthentication yes
57. #PubkeyAuthentication yes
58.  
59. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
60. # but this is overridden so installations will only check .ssh/authorized_keys
61. AuthorizedKeysFile .ssh/authorized_keys
62.  
63. #AuthorizedPrincipalsFile none
64.  
65. #AuthorizedKeysCommand none
66. #AuthorizedKeysCommandUser nobody
67.  
68. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
69. #RhostsRSAAuthentication no
70. # similar for protocol version 2
71. #HostbasedAuthentication no
72. # Change to yes if you don't trust ~/.ssh/known_hosts for
73. # RhostsRSAAuthentication and HostbasedAuthentication
74. #IgnoreUserKnownHosts no
75. # Don't read the user's ~/.rhosts and ~/.shosts files
76. #IgnoreRhosts yes
77.  
78. # To disable tunneled clear text passwords, change to no here!
79. #PasswordAuthentication yes
80. #PermitEmptyPasswords no
81. PasswordAuthentication yes
82.  
83. # Change to no to disable s/key passwords
84. #ChallengeResponseAuthentication yes
85. ChallengeResponseAuthentication no
86.  
87. # Kerberos options
88. #KerberosAuthentication no
89. #KerberosOrLocalPasswd yes
90. #KerberosTicketCleanup yes
91. #KerberosGetAFSToken no
92. #KerberosUseKuserok yes
93.  
94. # GSSAPI options
95. GSSAPIAuthentication yes
96. GSSAPICleanupCredentials no
97. #GSSAPIStrictAcceptorCheck yes
98. #GSSAPIKeyExchange no
99. #GSSAPIEnablek5users no
100.  
101. # Set this to 'yes' to enable PAM authentication, account processing,
102. # and session processing. If this is enabled, PAM authentication will
103. # be allowed through the ChallengeResponseAuthentication and
104. # PasswordAuthentication. Depending on your PAM configuration,
105. # PAM authentication via ChallengeResponseAuthentication may bypass
106. # the setting of "PermitRootLogin without-password".
107. # If you just want the PAM account and session checks to run without
108. # PAM authentication, then enable this but set PasswordAuthentication
109. # and ChallengeResponseAuthentication to 'no'.
110. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
111. # problems.
112. UsePAM yes
113.  
114. #AllowAgentForwarding yes
115. #AllowTcpForwarding yes
116. #GatewayPorts no
117. X11Forwarding yes
118. #X11DisplayOffset 10
119. #X11UseLocalhost yes
120. #PermitTTY yes
121. PrintMotd yes
122. #PrintLastLog yes
123. #TCPKeepAlive yes
124. #UseLogin no
125. UsePrivilegeSeparation sandbox # Default for new installations.
126. #PermitUserEnvironment no
127. #Compression delayed
128. #ClientAliveInterval 0
129. #ClientAliveCountMax 3
130. #ShowPatchLevel no
131. #UseDNS yes
132. #PidFile /var/run/sshd.pid
133. #MaxStartups 10:30:100
134. #PermitTunnel no
135. #ChrootDirectory none
136. #VersionAddendum none
137.  
138. # no default banner path
139. #Banner none
140.  
141. # Accept locale-related environment variables
142. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
143. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
144. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
145. AcceptEnv XMODIFIERS
146.  
147. # override default of no subsystems
148. Subsystem sftp /usr/libexec/openssh/sftp-server
149. IgnoreRhosts yes
150. IgnoreUserKnownHosts no
151. PrintMotd no
152. StrictModes yes
153. PubkeyAuthentication yes
154. RSAAuthentication yes
155. PermitRootLogin yes
156. PermitEmptyPasswords no
157.  
158. # Example of overriding settings on a per-user basis
159. #Match User anoncvs
160. # X11Forwarding no
161. # AllowTcpForwarding no
162. # PermitTTY no
163. # ForceCommand cvs server