sshd_config.Debian.bookworm 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130
  1. # This is the sshd server system-wide configuration file. See
  2. # sshd_config(5) for more information.
  3. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
  4. # The strategy used for options in the default sshd_config shipped with
  5. # OpenSSH is to specify options with their default value where
  6. # possible, but leave them commented. Uncommented options override the
  7. # default value.
  8. Include /etc/ssh/sshd_config.d/*.conf
  9. #Port 22
  10. #AddressFamily any
  11. #ListenAddress 0.0.0.0
  12. #ListenAddress ::
  13. #HostKey /etc/ssh/ssh_host_rsa_key
  14. #HostKey /etc/ssh/ssh_host_ecdsa_key
  15. #HostKey /etc/ssh/ssh_host_ed25519_key
  16. # Ciphers and keying
  17. #RekeyLimit default none
  18. # Logging
  19. #SyslogFacility AUTH
  20. #LogLevel INFO
  21. # Authentication:
  22. #LoginGraceTime 2m
  23. PermitRootLogin prohibit-password
  24. #StrictModes yes
  25. #MaxAuthTries 6
  26. #MaxSessions 10
  27. PubkeyAuthentication yes
  28. # Expect .ssh/authorized_keys2 to be disregarded by default in future.
  29. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
  30. #AuthorizedPrincipalsFile none
  31. #AuthorizedKeysCommand none
  32. #AuthorizedKeysCommandUser nobody
  33. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  34. HostbasedAuthentication no
  35. # Change to yes if you don't trust ~/.ssh/known_hosts for
  36. # HostbasedAuthentication
  37. #IgnoreUserKnownHosts no
  38. # Don't read the user's ~/.rhosts and ~/.shosts files
  39. #IgnoreRhosts yes
  40. # To disable tunneled clear text passwords, change to no here!
  41. PasswordAuthentication no
  42. #PermitEmptyPasswords no
  43. # Change to yes to enable challenge-response passwords (beware issues with
  44. # some PAM modules and threads)
  45. KbdInteractiveAuthentication no
  46. # Kerberos options
  47. KerberosAuthentication no
  48. #KerberosOrLocalPasswd yes
  49. #KerberosTicketCleanup yes
  50. #KerberosGetAFSToken no
  51. # GSSAPI options
  52. GSSAPIAuthentication no
  53. #GSSAPICleanupCredentials yes
  54. #GSSAPIStrictAcceptorCheck yes
  55. #GSSAPIKeyExchange no
  56. # Set this to 'yes' to enable PAM authentication, account processing,
  57. # and session processing. If this is enabled, PAM authentication will
  58. # be allowed through the KbdInteractiveAuthentication and
  59. # PasswordAuthentication. Depending on your PAM configuration,
  60. # PAM authentication via KbdInteractiveAuthentication may bypass
  61. # the setting of "PermitRootLogin prohibit-password".
  62. # If you just want the PAM account and session checks to run without
  63. # PAM authentication, then enable this but set PasswordAuthentication
  64. # and KbdInteractiveAuthentication to 'no'.
  65. UsePAM yes
  66. AllowAgentForwarding yes
  67. #AllowTcpForwarding yes
  68. #GatewayPorts no
  69. X11Forwarding no
  70. #X11DisplayOffset 10
  71. #X11UseLocalhost yes
  72. #PermitTTY yes
  73. PrintMotd no
  74. #PrintLastLog yes
  75. #TCPKeepAlive yes
  76. #PermitUserEnvironment no
  77. #Compression delayed
  78. #ClientAliveInterval 0
  79. #ClientAliveCountMax 3
  80. #UseDNS no
  81. #PidFile /run/sshd.pid
  82. #MaxStartups 10:30:100
  83. PermitTunnel yes
  84. #ChrootDirectory none
  85. #VersionAddendum none
  86. # no default banner path
  87. #Banner none
  88. # Allow client to pass locale environment variables
  89. AcceptEnv LANG LC_*
  90. # override default of no subsystems
  91. Subsystem sftp /usr/lib/openssh/sftp-server
  92. # Example of overriding settings on a per-user basis
  93. #Match User anoncvs
  94. # X11Forwarding no
  95. # AllowTcpForwarding no
  96. # PermitTTY no
  97. # ForceCommand cvs server
  98. # Cipher List from Cipherlist.eu
  99. HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
  100. KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
  101. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  102. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com