sshd_config

1. /etc/ssh/sshd_config
2.  
3. # Package generated configuration file
4. # See the sshd_config(5) manpage for details
5.  
6. # What ports, IPs and protocols we listen for
7. Port 22
8. # Use these options to restrict which interfaces/protocols sshd will bind to
9. #ListenAddress ::
10. #ListenAddress 0.0.0.0
11. Protocol 2
12. # HostKeys for protocol version 2
13. HostKey /etc/ssh/ssh_host_rsa_key
14. HostKey /etc/ssh/ssh_host_dsa_key
15. HostKey /etc/ssh/ssh_host_ecdsa_key
16. HostKey /etc/ssh/ssh_host_ed25519_key
17. #Privilege Separation is turned on for security
18. UsePrivilegeSeparation yes
19.  
20. # Lifetime and size of ephemeral version 1 server key
21. KeyRegenerationInterval 3600
22. ServerKeyBits 1024
23.  
24. # Logging
25. SyslogFacility AUTH
26. LogLevel INFO
27.  
28. # Authentication:
29. LoginGraceTime 120
30. #PermitRootLogin prohibit-password
31. PermitRootLogin yes
32. StrictModes yes
33.  
34. RSAAuthentication yes
35. PubkeyAuthentication yes
36. #AuthorizedKeysFile     %h/.ssh/authorized_keys
37.  
38. # Don't read the user's ~/.rhosts and ~/.shosts files
39. IgnoreRhosts yes
40.  
41. # For this to work you will also need host keys in /etc/ssh_known_hosts
42. RhostsRSAAuthentication no
43. # similar for protocol version 2
44. HostbasedAuthentication no
45. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
46. #IgnoreUserKnownHosts yes
47.  
48. # To enable empty passwords, change to yes (NOT RECOMMENDED)
49. PermitEmptyPasswords no
50.  
51. # Change to yes to enable challenge-response passwords (beware issues with
52. # some PAM modules and threads)
53. ChallengeResponseAuthentication no
54.  
55. # Change to no to disable tunnelled clear text passwords
56. #PasswordAuthentication yes
57.  
58. # Kerberos options
59. #KerberosAuthentication no
60. #KerberosGetAFSToken no
61. #KerberosOrLocalPasswd yes
62. #KerberosTicketCleanup yes
63.  
64. # GSSAPI options
65. #GSSAPIAuthentication no
66. #GSSAPICleanupCredentials yes
67.  
68. X11Forwarding yes
69. X11DisplayOffset 10
70. PrintMotd no
71. PrintLastLog yes
72. TCPKeepAlive yes
73. #UseLogin no
74.  
75. #MaxStartups 10:30:60
76. #Banner /etc/issue.net
77.  
78. # Allow client to pass locale environment variables
79. AcceptEnv LANG LC_*
80.  
81. Subsystem sftp /usr/lib/openssh/sftp-server
82.  
83. # Set this to 'yes' to enable PAM authentication, account processing,
84. # and session processing. If this is enabled, PAM authentication will
85. # be allowed through the ChallengeResponseAuthentication and
86. # PasswordAuthentication.  Depending on your PAM configuration,
87. # PAM authentication via ChallengeResponseAuthentication may bypass
88. # the setting of "PermitRootLogin without-password".
89. # If you just want the PAM account and session checks to run without
90. # PAM authentication, then enable this but set PasswordAuthentication
91. # and ChallengeResponseAuthentication to 'no'.
92. UsePAM yes