sshd_config
@mmatt.net · 28d ago · plaintext · 127 loc · raw · 0 comments
1root@mmatt-pds:~/core# cat /etc/ssh/sshd_config23# This is the sshd server system-wide configuration file. See4# sshd_config(5) for more information.56# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games78# The strategy used for options in the default sshd_config shipped with9# OpenSSH is to specify options with their default value where10# possible, but leave them commented. Uncommented options override the11# default value.1213Include /etc/ssh/sshd_config.d/*.conf1415#Port 426916#AddressFamily any17#ListenAddress 0.0.0.018#ListenAddress ::1920#HostKey /etc/ssh/ssh_host_rsa_key21#HostKey /etc/ssh/ssh_host_ecdsa_key22#HostKey /etc/ssh/ssh_host_ed25519_key2324# Ciphers and keying25#RekeyLimit default none2627# Logging28#SyslogFacility AUTH29#LogLevel INFO3031# Authentication:3233#LoginGraceTime 2m34#PermitRootLogin prohibit-password35#StrictModes yes36#MaxAuthTries 637#MaxSessions 103839#PubkeyAuthentication yes4041# Expect .ssh/authorized_keys2 to be disregarded by default in future.42#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys24344#AuthorizedPrincipalsFile none4546#AuthorizedKeysCommand none47#AuthorizedKeysCommandUser nobody4849# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts50#HostbasedAuthentication no51# Change to yes if you don't trust ~/.ssh/known_hosts for52# HostbasedAuthentication53#IgnoreUserKnownHosts no54# Don't read the user's ~/.rhosts and ~/.shosts files55#IgnoreRhosts yes5657# To disable tunneled clear text passwords, change to no here!58#PasswordAuthentication yes59#PermitEmptyPasswords no6061# Change to yes to enable challenge-response passwords (beware issues with62# some PAM modules and threads)63KbdInteractiveAuthentication no6465# Kerberos options66#KerberosAuthentication no67#KerberosOrLocalPasswd yes68#KerberosTicketCleanup yes69#KerberosGetAFSToken no7071# GSSAPI options72#GSSAPIAuthentication no73#GSSAPICleanupCredentials yes74#GSSAPIStrictAcceptorCheck yes75#GSSAPIKeyExchange no7677# Set this to 'yes' to enable PAM authentication, account processing,78# and session processing. If this is enabled, PAM authentication will79# be allowed through the KbdInteractiveAuthentication and80# PasswordAuthentication. Depending on your PAM configuration,81# PAM authentication via KbdInteractiveAuthentication may bypass82# the setting of "PermitRootLogin without-password".83# If you just want the PAM account and session checks to run without84# PAM authentication, then enable this but set PasswordAuthentication85# and KbdInteractiveAuthentication to 'no'.86UsePAM yes8788#AllowAgentForwarding yes89#AllowTcpForwarding yes90#GatewayPorts no91X11Forwarding yes92#X11DisplayOffset 1093#X11UseLocalhost yes94#PermitTTY yes95PrintMotd no96#PrintLastLog yes97#TCPKeepAlive yes98#PermitUserEnvironment no99#Compression delayed100#ClientAliveInterval 0101#ClientAliveCountMax 3102#UseDNS no103#PidFile /run/sshd.pid104#MaxStartups 10:30:100105#PermitTunnel no106#ChrootDirectory none107#VersionAddendum none108109# no default banner path110#Banner none111112# Allow client to pass locale environment variables113AcceptEnv LANG LC_*114115# override default of no subsystems116Subsystem sftp /usr/lib/openssh/sftp-server117118# Example of overriding settings on a per-user basis119#Match User anoncvs120# X11Forwarding no121# AllowTcpForwarding no122# PermitTTY no123# ForceCommand cvs server124125Match User git126 AuthorizedKeysCommand /root/core/keyfetch -internal-api http://localhost:5444 -repoguard-path /home/git/repoguard127 AuthorizedKeysCommandUser nobodylogin to post a comment