1. # Package generated configuration file
  2. # See the sshd_config(5) manpage for details
  3.  
  4. # What ports, IPs and protocols we listen for
  5. Port 22
  6. # Use these options to restrict which interfaces/protocols sshd will bind to
  7. #ListenAddress ::
  8. #ListenAddress 0.0.0.0
  9. Protocol 2
  10. # HostKeys for protocol version 2
  11. HostKey /etc/ssh/ssh_host_rsa_key
  12. HostKey /etc/ssh/ssh_host_dsa_key
  13. #HostKey /etc/ssh/ssh_host_ecdsa_key
  14. #Privilege Separation is turned on for security
  15. UsePrivilegeSeparation yes
  16.  
  17. # Lifetime and size of ephemeral version 1 server key
  18. #KeyRegenerationInterval 3600
  19. ServerKeyBits 768
  20.  
  21. # Logging
  22. SyslogFacility AUTH
  23. LogLevel VERBOSE
  24.  
  25. # Authentication:
  26. LoginGraceTime 120
  27. PermitRootLogin yes
  28. StrictModes yes
  29.  
  30. RSAAuthentication yes
  31. PubkeyAuthentication yes
  32. AuthorizedKeysFile %h/.ssh/authorized_keys
  33.  
  34. # Don't read the user's ~/.rhosts and ~/.shosts files
  35. IgnoreRhosts yes
  36. # For this to work you will also need host keys in /etc/ssh_known_hosts
  37. RhostsRSAAuthentication no
  38. # similar for protocol version 2
  39. HostbasedAuthentication no
  40. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  41. #IgnoreUserKnownHosts yes
  42.  
  43. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  44. PermitEmptyPasswords yes
  45.  
  46.  
  47. # Change to yes to enable challenge-response passwords (beware issues with
  48. # some PAM modules and threads)
  49. ChallengeResponseAuthentication no
  50.  
  51. # Change to no to disable tunnelled clear text passwords
  52. PasswordAuthentication yes
  53. Match User auditor
  54. PasswordAuthentication no
  55.  
  56. # Kerberos options
  57. #KerberosAuthentication no
  58. #KerberosGetAFSToken no
  59. #KerberosOrLocalPasswd yes
  60. #KerberosTicketCleanup yes
  61.  
  62. # GSSAPI options
  63. #GSSAPIAuthentication no
  64. #GSSAPICleanupCredentials yes
  65.  
  66. X11Forwarding yes
  67. X11DisplayOffset 10
  68. PrintMotd no
  69. PrintLastLog yes
  70. TCPKeepAlive yes
  71. UseLogin yes
  72.  
  73. #MaxStartups 10:30:60
  74. #Banner /etc/issue.net
  75.  
  76. # Allow client to pass locale environment variables
  77. AcceptEnv LANG LC_*
  78.  
  79. Subsystem sftp /usr/lib/openssh/sftp-server
  80.  
  81. # Set this to 'yes' to enable PAM authentication, account processing,
  82. # and session processing. If this is enabled, PAM authentication will
  83. # be allowed through the ChallengeResponseAuthentication and
  84. # PasswordAuthentication. Depending on your PAM configuration,
  85. # PAM authentication via ChallengeResponseAuthentication may bypass
  86. # the setting of "PermitRootLogin without-password".
  87. # If you just want the PAM account and session checks to run without
  88. # PAM authentication, then enable this but set PasswordAuthentication
  89. # and ChallengeResponseAuthentication to 'no'.
  90. UsePAM yes
  91. UseDNS no