Ticket #3921: sshd_config

File sshd_config, 6.8 KB (added by howaboutsynergy, 5 years ago)

sshd server config used to test

Line 
1#       $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
2
3# This is the sshd server system-wide configuration file.  See
4# sshd_config(5) for more information.
5
6# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
7
8# The strategy used for options in the default sshd_config shipped with
9# OpenSSH is to specify options with their default value where
10# possible, but leave them commented.  Uncommented options override the
11# default value.
12
13Port 22
14#AddressFamily any
15AddressFamily inet
16ListenAddress 0.0.0.0
17#ListenAddress ::
18
19# The default requires explicit activation of protocol 1
20Protocol 2
21
22# HostKey for protocol version 1
23#HostKey /etc/ssh/ssh_host_key
24# HostKeys for protocol version 2
25#XXX ^ needed for mc's sftp:// to work
26#HostKey /etc/ssh/ssh_host_dsa_key
27#HostKey /etc/ssh/ssh_host_ecdsa_key
28HostKey /etc/ssh/ssh_host_ed25519_key
29
30# Lifetime and size of ephemeral version 1 server key
31#KeyRegenerationInterval 1h
32#ServerKeyBits 1024
33
34# Ciphers and keying
35#RekeyLimit default none
36
37# Logging
38#SyslogFacility AUTH
39#LogLevel INFO
40LogLevel VERBOSE
41LoginGraceTime 30s
42PermitRootLogin yes
43StrictModes yes
44MaxAuthTries 5
45MaxSessions 10
46
47#deprecated:
48#RSAAuthentication no
49##RSAAuthentication yes
50#UseLogin no
51##UsePrivilegeSeparation sandbox                # Default for new installations.
52#UsePrivilegeSeparation sandbox
53# allow the use of the none cipher
54##NoneEnabled no
55#NoneEnabled no
56
57PubkeyAuthentication yes
58HostbasedAuthentication no
59IgnoreUserKnownHosts yes
60IgnoreRhosts yes
61PermitEmptyPasswords no
62AllowAgentForwarding no
63GatewayPorts no
64TCPKeepAlive yes
65PermitUserEnvironment no
66Compression delayed
67ClientAliveInterval 30
68ClientAliveCountMax 5
69UseDNS no
70PermitTunnel point-to-point
71Ciphers aes256-ctr
72# Set this to the unix group whose members are allowed access
73#AllowGroup ssh
74AllowUsers root user
75DenyUsers portage a
76#MACs hmac-sha2-512-etm@openssh.com
77#KexAlgorithms curve25519-sha256@libssh.org
78
79#AuthenticationMethods publickey
80#PasswordAuthentication no
81#^ won't work for mc sftp://  unless using patch from https://midnight-commander.org/ticket/3921  ? (untested yet)
82#AuthenticationMethods keyboard-interactive:bsdauth,keyboard-interactive:pam
83AuthenticationMethods keyboard-interactive:pam
84PasswordAuthentication no
85KbdInteractiveAuthentication yes
86ChallengeResponseAuthentication yes
87UsePAM yes
88#guessing ^ is needed for the patch in https://midnight-commander.org/ticket/3921
89#temp:
90#AuthenticationMethods password
91#PasswordAuthentication yes
92
93#temp for mc sftp:// to work:
94MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
95KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
96#AuthenticationMethods password
97##^ won't work if "password,publickey"
98#PasswordAuthentication yes
99HostKey /etc/ssh/ssh_host_rsa_key
100#^ no need to comment out other HostKey`s
101#XXX from within mc won't work(with password or publickey either): no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
102#XXX then(if you have KexAlgorithms diffie-hellman-group-exchange-sha256) it won't work due to HostKey like this: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
103#XXX: then (if you have HostKey /etc/ssh/ssh_host_rsa_key) no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com [preauth]
104#XXX: then(if you have MACs hmac-sha2-512) it won't work with publickey, need to use password!
105#ListenAddress 192.168.100.121
106
107
108
109
110# Authentication:
111
112#LoginGraceTime 2m
113#PermitRootLogin prohibit-password
114#PermitRootLogin yes
115#StrictModes yes
116#MaxAuthTries 6
117#MaxSessions 10
118
119#PubkeyAuthentication yes
120
121# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
122# but this is overridden so installations will only check .ssh/authorized_keys
123#AuthorizedKeysFile     .ssh/authorized_keys
124AuthorizedKeysFile      .ssh/authorized_key
125
126#AuthorizedPrincipalsFile none
127
128#AuthorizedKeysCommand none
129#AuthorizedKeysCommandUser nobody
130
131# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
132#HostbasedAuthentication no
133# Change to yes if you don't trust ~/.ssh/known_hosts for
134# HostbasedAuthentication
135#IgnoreUserKnownHosts no
136# Don't read the user's ~/.rhosts and ~/.shosts files
137#IgnoreRhosts yes
138
139# To disable tunneled clear text passwords, change to no here!
140#PasswordAuthentication yes
141#PermitEmptyPasswords no
142
143# Change to no to disable s/key passwords
144#ChallengeResponseAuthentication yes
145#ChallengeResponseAuthentication no
146#^ yes = enables TIS Challenge/Response in SSH protocol version 1, and keyboard-interactive in SSH protocol v2
147
148# Kerberos options
149#KerberosAuthentication no
150#KerberosOrLocalPasswd yes
151#KerberosTicketCleanup yes
152#KerberosGetAFSToken no
153
154# GSSAPI options
155#GSSAPIAuthentication no
156#GSSAPICleanupCredentials yes
157
158# Set this to 'yes' to enable PAM authentication, account processing,
159# and session processing. If this is enabled, PAM authentication will
160# be allowed through the ChallengeResponseAuthentication and
161# PasswordAuthentication.  Depending on your PAM configuration,
162# PAM authentication via ChallengeResponseAuthentication may bypass
163# the setting of "PermitRootLogin without-password".
164# If you just want the PAM account and session checks to run without
165# PAM authentication, then enable this but set PasswordAuthentication
166# and ChallengeResponseAuthentication to 'no'.
167#UsePAM yes
168#UsePAM no
169#^ set PAM to no, because PAM is not used if public key authentication is used! src: https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html#item-xccdf_org.gentoo.dev.swift_group_config-default
170#okno: but if PAM is no, then limits.conf is not applied! but keep these 2 as 'no' to disable PAM auth PasswordAuthentication ChallengeResponseAuthentication; OK, that wasn't it, XXX: even with UsePAM no, ulimit -c works, set to unlimited as per limits.conf except in the case when you use '*' instead of '0:' as first field in there! tested!
171
172#AllowAgentForwarding yes
173#AllowTcpForwarding yes
174AllowTcpForwarding yes
175#GatewayPorts no
176#X11Forwarding no
177X11Forwarding no
178#X11DisplayOffset 10
179#X11UseLocalhost yes
180#PermitTTY yes
181PermitTTY yes
182#PrintMotd no
183#PrintLastLog yes
184PrintMotd no # pam does that
185PrintLastLog yes
186#TCPKeepAlive yes
187#PermitUserEnvironment no
188#Compression delayed
189#ClientAliveInterval 0
190#ClientAliveCountMax 3
191#UseDNS no
192#PidFile /run/sshd.pid
193#MaxStartups 10:30:100
194#PermitTunnel no
195#ChrootDirectory none
196#VersionAddendum none
197
198# no default banner path
199#Banner none
200
201# override default of no subsystems
202Subsystem      sftp    /usr/lib/ssh/sftp-server
203
204
205
206# Example of overriding settings on a per-user basis
207#XXX: note uses tabs:
208#Match User anoncvs
209#       X11Forwarding no
210#       AllowTcpForwarding no
211#       PermitTTY no
212#       ForceCommand cvs server
213
214# Allow client to pass locale environment variables #367017
215#AcceptEnv LANG LC_*
216AcceptEnv LANG LC_*
217