sshd_config 2.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. #
  2. # /etc/ssh/sshd_config (Salt managed)
  3. #
  4. # What ports, IPs and protocols we listen for
  5. Port 22
  6. # Use these options to restrict which interfaces/protocols sshd will bind to
  7. #ListenAddress ::
  8. #ListenAddress 0.0.0.0
  9. Protocol 2
  10. # HostKeys for protocol version 2
  11. HostKey /etc/ssh/ssh_host_rsa_key
  12. HostKey /etc/ssh/ssh_host_dsa_key
  13. HostKey /etc/ssh/ssh_host_ecdsa_key
  14. HostKey /etc/ssh/ssh_host_ed25519_key
  15. #Privilege Separation is turned on for security
  16. UsePrivilegeSeparation yes
  17. # Lifetime and size of ephemeral version 1 server key
  18. KeyRegenerationInterval 3600
  19. ServerKeyBits 1024
  20. # Logging
  21. SyslogFacility AUTH
  22. LogLevel INFO
  23. # Authentication:
  24. LoginGraceTime 120
  25. PermitRootLogin without-password
  26. StrictModes yes
  27. RSAAuthentication yes
  28. PubkeyAuthentication yes
  29. #AuthorizedKeysFile %h/.ssh/authorized_keys
  30. # Don't read the user's ~/.rhosts and ~/.shosts files
  31. IgnoreRhosts yes
  32. # For this to work you will also need host keys in /etc/ssh_known_hosts
  33. RhostsRSAAuthentication no
  34. # similar for protocol version 2
  35. HostbasedAuthentication no
  36. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  37. #IgnoreUserKnownHosts yes
  38. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  39. PermitEmptyPasswords no
  40. # Change to yes to enable challenge-response passwords (beware issues with
  41. # some PAM modules and threads)
  42. ChallengeResponseAuthentication no
  43. # Change to no to disable tunnelled clear text passwords
  44. PasswordAuthentication no
  45. # Kerberos options
  46. KerberosAuthentication no
  47. #KerberosGetAFSToken no
  48. #KerberosOrLocalPasswd yes
  49. #KerberosTicketCleanup yes
  50. # GSSAPI options
  51. GSSAPIAuthentication no
  52. #GSSAPICleanupCredentials yes
  53. X11Forwarding yes
  54. X11DisplayOffset 10
  55. PrintMotd no
  56. PrintLastLog yes
  57. TCPKeepAlive yes
  58. #UseLogin no
  59. #MaxStartups 10:30:60
  60. #Banner /etc/issue.net
  61. # Allow client to pass locale environment variables
  62. AcceptEnv LANG LC_*
  63. Subsystem sftp /usr/lib/openssh/sftp-server
  64. # Set this to 'yes' to enable PAM authentication, account processing,
  65. # and session processing. If this is enabled, PAM authentication will
  66. # be allowed through the ChallengeResponseAuthentication and
  67. # PasswordAuthentication. Depending on your PAM configuration,
  68. # PAM authentication via ChallengeResponseAuthentication may bypass
  69. # the setting of "PermitRootLogin without-password".
  70. # If you just want the PAM account and session checks to run without
  71. # PAM authentication, then enable this but set PasswordAuthentication
  72. # and ChallengeResponseAuthentication to 'no'.
  73. UsePAM yes
  74. # HeJ: restrict cipher+mac to only allow non-CBC ones
  75. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
  76. MACs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com