Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# Disa

1. Port 22
2. #AddressFamily any
3. #ListenAddress 0.0.0.0
4. #ListenAddress ::
5.  
6. # Disable legacy (protocol version 1) support in the server for new
7. # installations. In future the default will change to require explicit
8. # activation of protocol 1
9. Protocol 2
10.  
11. # HostKey for protocol version 1
12. #HostKey /etc/ssh/ssh_host_key
13. # HostKeys for protocol version 2
14. HostKey /etc/ssh/ssh_host_rsa_key
15. HostKey /etc/ssh/ssh_host_dsa_key
16.  
17. # Lifetime and size of ephemeral version 1 server key
18. KeyRegenerationInterval 1h
19. ServerKeyBits 1024
20.  
21. # Logging
22. # obsoletes QuietMode and FascistLogging
23. SyslogFacility AUTH
24. LogLevel INFO
25.  
26. # Authentication:
27.  
28. LoginGraceTime 1m
29. PermitRootLogin no
30. StrictModes yes
31. MaxAuthTries 2
32. MaxSessions 1
33.  
34. RSAAuthentication yes
35. PubkeyAuthentication yes
36. #AuthorizedKeysFile .ssh/authorized_keys
37.  
38. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
39. RhostsAuthentication no
40. RhostsRSAAuthentication no
41. # similar for protocol version 2
42. HostbasedAuthentication no
43. # Change to yes if you don't trust ~/.ssh/known_hosts for
44. # RhostsRSAAuthentication and HostbasedAuthentication
45. IgnoreUserKnownHosts yes
46. # Don't read the user's ~/.rhosts and ~/.shosts files
47. IgnoreRhosts yes
48.  
49. # To disable tunneled clear text passwords, change to no here!
50. PasswordAuthentication yes
51. PermitEmptyPasswords no
52.  
53. # Change to no to disable s/key passwords
54. #ChallengeResponseAuthentication yes
55.  
56. # Kerberos options
57. #KerberosAuthentication no
58. #KerberosOrLocalPasswd yes
59. #KerberosTicketCleanup yes
60. #KerberosGetAFSToken no
61.  
62. # GSSAPI options
63. #GSSAPIAuthentication no
64. #GSSAPICleanupCredentials yes
65.  
66. # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
67. # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
68. # in this release. The use of 'gssapi' is deprecated due to the presence of
69. # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
70. #GSSAPIEnableMITMAttack no
71.  
72.  
73. # Set this to 'yes' to enable PAM authentication, account processing,
74. # and session processing. If this is enabled, PAM authentication will
75. # be allowed through the ChallengeResponseAuthentication and
76. # PasswordAuthentication. Depending on your PAM configuration,
77. # PAM authentication via ChallengeResponseAuthentication may bypass
78. # the setting of "PermitRootLogin without-password".
79. # If you just want the PAM account and session checks to run without
80. # PAM authentication, then enable this but set PasswordAuthentication
81. # and ChallengeResponseAuthentication to 'no'.
82. UsePAM yes
83.  
84. #AllowAgentForwarding yes
85. #AllowTcpForwarding yes
86. #GatewayPorts no
87. X11Forwarding yes
88. #X11DisplayOffset 10
89. #X11UseLocalhost yes
90. #PrintMotd yes
91. #PrintLastLog yes
92. #TCPKeepAlive yes
93. #UseLogin no
94. #UsePrivilegeSeparation yes
95. #PermitUserEnvironment no
96. #Compression delayed
97. #ClientAliveInterval 0
98. #ClientAliveCountMax 3
99. #UseDNS yes
100. #PidFile /var/run/sshd.pid
101. #MaxStartups 10
102. #PermitTunnel no
103. #ChrootDirectory none
104.  
105. # no default banner path
106. #Banner none
107.  
108. # override default of no subsystems
109. Subsystem sftp /usr/lib64/ssh/sftp-server
110.  
111. # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
112. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
113. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
114. AcceptEnv LC_IDENTIFICATION LC_ALL