diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 05189b20..ba9fc8f9 100755 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -1,16 +1,9 @@ -# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. +# OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to +# be more clear and if they are missed some day, just download +# upstream config file or take it from any distribution. Port 22 + AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: @@ -19,12 +12,12 @@ ListenAddress :: Protocol 2 # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key ## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: -# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key # ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key +# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key # Uncomment one of the following depending on which OS ## Arch @@ -32,65 +25,27 @@ HostKey /etc/ssh/ssh_host_ed25519_key ## Debian #Subsystem sftp /usr/lib/openssh/sftp-server -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - # Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH LogLevel VERBOSE # Authentication: +PermitRootLogin No -#LoginGraceTime 2m -PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys +# The default is to check both .ssh/authorized_keys and +# .ssh/authorized_keys2 but this is overridden so installations will only +# check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedPrincipalsFile none +# Password based logins are disabled - only public key based logins are +# allowed. +AuthenticationMethods publickey -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! +# Disable tunneled clear text passwords! PasswordAuthentication no -#PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Disable s/key passwords ChallengeResponseAuthentication no -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and @@ -102,34 +57,7 @@ ChallengeResponseAuthentication no # and ChallengeResponseAuthentication to 'no'. UsePAM yes -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes PrintMotd no # pam does that -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none Banner /etc/issue.net - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server