Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

sshd_config: cleaning up

This commit is contained in:
Aminda Suomalainen 2015-08-30 16:54:21 +03:00
parent 7b8bf1710d
commit 73e9e99d9c
1 changed files with 15 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
etc/ssh/sshd_config
View File

@ -1,16 +1,9 @@
# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # OpenSSH /etc/ssh/sshd_config. I am removing commented lines for this to
# be more clear and if they are missed some day, just download
# This is the sshd server system-wide configuration file. See # upstream config file or take it from any distribution.
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22 Port 22
AddressFamily any AddressFamily any
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
ListenAddress :: ListenAddress ::
@ -19,12 +12,12 @@ ListenAddress ::
Protocol 2 Protocol 2
# HostKeys for protocol version 2 # HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT: ## IF THE HOST KEYS ARE MISSING, RUN THE FOLLOWING AS ROOT:
# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key # ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
# ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
# Uncomment one of the following depending on which OS # Uncomment one of the following depending on which OS
## Arch ## Arch
@ -32,65 +25,27 @@ HostKey /etc/ssh/ssh_host_ed25519_key
## Debian ## Debian
#Subsystem sftp /usr/lib/openssh/sftp-server #Subsystem sftp /usr/lib/openssh/sftp-server
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging # Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel VERBOSE LogLevel VERBOSE
# Authentication: # Authentication:
PermitRootLogin No
#LoginGraceTime 2m # The default is to check both .ssh/authorized_keys and
PermitRootLogin prohibit-password # .ssh/authorized_keys2 but this is overridden so installations will only
#StrictModes yes # check .ssh/authorized_keys
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none # Password based logins are disabled - only public key based logins are
# allowed.
AuthenticationMethods publickey
#AuthorizedKeysCommand none # Disable tunneled clear text passwords!
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords # Disable s/key passwords
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and # be allowed through the ChallengeResponseAuthentication and
@ -102,34 +57,7 @@ ChallengeResponseAuthentication no
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations. UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Banner /etc/issue.net Banner /etc/issue.net
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server