-
Notifications
You must be signed in to change notification settings - Fork 0
/
sshd_config
83 lines (65 loc) · 2.21 KB
/
sshd_config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# from https://cipherli.st/ and https://wiki.mozilla.org/Security/Guidelines/OpenSSH
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
# From Cipherli.st but doesn't work for the latest OpenSSH which we're using
#MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
# Logging
#SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
PermitUserRC no
StrictModes no
MaxAuthTries 6
MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
#UsePAM yes
AuthenticationMethods publickey
AllowAgentForwarding no
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
PermitTTY no
PrintMotd no
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 30
ClientAliveCountMax 3
UseDNS no
PidFile none
PermitTunnel no
ChrootDirectory none
VersionAddendum none
# no default banner path
Banner none
# override default of no subsystems
#Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO