# /path/to/your/sshd_config # # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # # This sshd was compiled with PATH=/path/your/daemon/was/compiled/with # # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # # Options with BOOLEAN values may be "yes" or "true" OR "no" or "false" # but *must* be in lower-case # # Options with time values default to seconds, are additive, and values # may optionally have a single-character suffix indicating the time unit: # 7s = seven seconds 12m = twelve minutes # 3h = three hours 8d = eight days # 2w = two weeks 1h30m = ninety minutes # # IMPORTANT: Command-line options override settings made via this file # # # Change Log # Who When______ What____________________________________ # ############################################################ ################## # Communications # ################## # TCP Port to which sshd will bind # Default is 22 # Multiple Port statements may appear and sshd will # listen on all indicated ports # Equivalent command-line option: -p #Port 22 # SSH Protocols that sshd will support # Prior to v4.7p1, default was both 1 and 2 # Starting with v4.7p1, default is 2 only Protocol 2 # IP addresses that sshd will bind to at startup # The default is all local addresses available # Use these entries to limit the daemon to specific addresses # IPv4 #ListenAddress 0.0.0.0 # IPv6 #ListenAddress :: # ListenAddress and Port may be combined in a single statement # EXAMPLE: 127.0.0.1:22 # Send "keepalive" packets to verify connection is still valid? # Default is yes TCPKeepAlive yes # Terminate connection if client does not respond to ClientAliveCountMax # (defaults to 3) number of packets sent every ClientAliveInterval # (defaults to 0) seconds. These setings give a client about 45 seconds # to respond before the connection is cut (3 x 15 = 45) ClientAliveInterval 15 ClientAliveCountMax 3 # Allow sshd to forward TCP connections from authenticated # SSH sessions to other ports on this host or on remote hosts # Default is yes # If you permit users to have shell access, then globally disabling # port forwarding is not an effective security measure, as users # will be able to run their own forwarding mechanisms # NEVER enable if you have anonymous access to the host (e.g. AnonCVS) #AllowTcpForwarding yes # Allow sshd to bind forwarded ports to addresses other than 127.0.0.1 # Default is no # Allows client to receive forwarded TCP packets from any host # that the server can receive from. Has significant security issues # and generally should not be enabled without other control # mechanisms, such as TCP Wrappers or host-based firewalls. #GatewayPorts no # Limit the TCP ports to which forwarding is permitted # Default allows any TCP port to be forwarded (subject to AllowTcpForwarding) # If you allow TCP Forwarding, you should probably use this to # restrict which ports may be forwarded. This setting is not an # effective substitute for a more-comprehensive tool like a firewall # or TCP Wrappers # Multiple whitespace-separated permissions may be listed on a single line # The keyword "all" removes all restrictions (the default) #PermitOpen host:port #PermitOpen IPv4_addr:port #PermitOpen [IPv6_addr]:port # Max number of *unauthenticated* connections permitted at any # one moment; authenticated connections do not count against this limit # Defaults to 10; set to 0 for no limit # May also be specified using A:B:C # where A is a lower bound, and once it is exceeded, there # is a B% chance that the next connection will be summarily # rejected. This chance increases in a linear fashion until # the number of connections reaches C, when the chance of refusal # becomes 100%. Roughly, each unauthenticated connection above # A adds to the chance of rejection by ((100 - B)/(C - A))% MaxStartups 5 ##################### # HostKey Locations # ##################### # Locations of the private key files that uniquely # identify this server # HostKeys for protocol version 2 HostKey /path/to/your/config/ssh_host_rsa_key HostKey /path/to/your/config/ssh_host_dsa_key ########### # Logging # ########### # These options obsolete QuietMode and FascistLogging # from previous versions # Facility to which sshd logs SyslogFacility AUTH # Logging Level/Severity (default is INFO) # Equivalent command-line option: -o "LogLevel VERBOSE" # Similar command-line option: -d [ -d [ -d ] ] LogLevel VERBOSE ################## # Authentication # ################## # Location (relative to user home directory) of user's public-key # authorization file # May also be an absolute path # Macro substitutions are available: # %h = User's home directory as defined in /etc/passwd or elsewhere # %u = User name # %% = A % sign #AuthorizedKeysFile .ssh/authorized_keys # Grace period in which authentication must occur before # connection is dropped # Default is 120 seconds/2 minutes; 0 disables this (infinite time) # Equivalent command-line option: -g #LoginGraceTime 2m # Limit the number of authentication attempts that may be # made using a single SSH connection (may discourage dictionary # attacks, or make them obvious); a side-effect is that a user # with multiple public keys in an identity file may exceed the # limit (so this option is of limited usefulness in a # key-oriented environment) # Default is 6 MaxAuthTries 3 # Require important files and directories to have strictly limited permissions # Default is yes. When enabled, the locations must be owned by the user (or root) # and must NOT be group- or world-writable # Locations checked: # User's home directory (~) # ~/.rhosts and ~./shosts # User's SSH configuration directory (~/.ssh) # User's SSH key files (~/.ssh/authorized_keys) StrictModes yes # Allow keyboard-interactive authentication? # Default is yes # Requires compile-time support for BSD-AUTH, PAM and/or SKEY; if these # were not included, then this option is ignored #ChallengeResponseAuthentication yes # Allow password-based authentication? # Default is yes # sshd normally uses the password in /etc/shadow, but may also use PAM or Kerberos # Note that for NetWare, password authentication is the only method #PasswordAuthentication yes # Permit accounts with empty passwords to login? # Default is no # It is HIGHLY recommended that you leave this DISABLED #PermitEmptyPasswords no # Allow SSH v2-style public-key authentication? # Default is yes #PubkeyAuthentication yes # Allow SSH v2-style host-based authentication # Default is no # Uses /etc/hosts.equiv, ~/.rhosts, /etc/shosts.equiv and/or # ~/.shosts for authentication # Host-based authentication is problematic and its use is not recommended #HostbasedAuthentication no # Allow hosts file in user's ssh directory to override previous setting? # Default is no (which PERMITS the override) # To ensure host-based authentication is disabled, these options # should be set to yes # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes ################## # Access Control # ################## # Is root allowed to login via SSH? # Default is yes # It is HIGHLY recommended you DISABLE this (no) - in most # environments, there is no reason root should login remotely PermitRootLogin no # List of user accounts (by name, not UID #) specifically # denied SSH access (even with a valid password/key, these # accounts are not allowed to login) DenyUsers root daemon bin sys adm lp sshd uucp listen nobody noaccess nobody4 ftp # List of user accounts (by name, not UID #) specifically # allowed SSH access (pending successful authentication via a permitted # method) #AllowUsers # List of groups (by name, not GID #) specifically # denied SSH access (even with a valid password/key, accounts # in these groups are not allowed to login; does not require # the group to be the account's Primary group) #DenyGroups # List of groups (by name, not UID #) specifically allowed SSH # access (pending successful authentication via a permitted method; # does not require the group to be the account's Primary group) #AllowGroups # NOTE ABOUT RESOLVING ALLOW/DENY CONFLICTS: # sshd will adopt the most-restrictive interpretation of AllowUsers/AllowGroups # and DenyUsers/DenyGroups. Thus, if any entry can be used to deny an # account login, the account will be denied. # The directives are consulted in the following order, regardless of the order # in which they appear in the config file: # DenyUsers, AllowUsers, DenyGroups, AllowGroups #################### # User Environment # #################### # List of environment variables that sshd will allow the client # to set using the SendEnv option in the client configuration # Default is an empty string, which causes sshd to ignore all # such client requests #AcceptEnv # Override any command requested by the client and force # execution of the following command. Execution occurs in the # user's shell environment, with the -c option # NOTE: Generally, this is most useful in a Match block # ForceCommand # Allow the user to set environment variables using # ~/.ssh/environment and options in their authorized_keys file # Default is no # If you are using rssh, then do NOT enable this, as it will # create holes that a user can exploit to break rssh security PermitUserEnvironment no ###################### # Encryption Ciphers # ###################### # NOTE: These options do not force a particular selection order, # they merely limit the ones sshd will allow a client # to use; clients must support at least one of # the listed algorithims # List of permitted data encryption algorithims Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr # List of permitted integrity-checking algorithims MACs mac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # List of permitted integrity-checking algorithims (v4.7p1 added umac-64) MACs mac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64 #################### # Kerberos options # #################### # These options are ignored unless OpenSSH was compiled # with Kerberos authentication support; default values are shown # Enable direct Kerberos authentication # Equivalent command-line option: -K #GSSAPIAuthentication no # Delete Kerberos-forwarded credentials on logout #GSSAPICleanupCredentials yes # Allow sshd to submit user's SSH password for # Kerberos authentication (indirect method) #KerberosAuthentication no # Allow local password authentication if Kerberos fails #KerberosOrLocalPasswd yes # Delete Kerberos-forwarded credentials on logout #KerberosTicketCleanup yes # Requires AFS support; instructs sshd to attempt to get an AFS # token prior to accessing the user's home directory #KerberosGetAFSToken no ############### # PAM options # ############### # Enable PAM support? # Defaults to no # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords' #UsePAM no ############### # X11 options # ############### # Enable forwarding of X11 connections # Default is no # Will be disabled if UseLogin is enabled #X11Forwarding no # Reserve X11 Display numbers so sshd won't try to use them # Default is 10 # Prevents sshd from clashing with existing X servers #X11DisplayOffset 10 # Require sshd to emulate pre-v3.1 X11 server behaviour # Default is yes # Use with older X11 clients #X11UseLocalhost yes ################# # Other options # ################# # Allow use of data compression in SSH links? # Default is delayed # Compression is requested by the client, but this setting # globally enables or disables it; compression is generally # not useful in the LAN environment (and may actually hurt # performance), but can help in WAN or extranet environments; # a third option, "delayed", ignores compression requests until # connection is authenticated (note that some SSH clients # may be unable to negotiate a connection with this setting) Compression delayed # Force sshd to use system's login program? # Default is no # There is generally no need to enable this option, doing so # may compromise Privilege Separation, and will break X forwarding #UseLogin no # Banner message displayed prior to authentication # Must be full, absolute path # Default is no pre-authentication banner #Banner /etc/warning.txt # Print /etc/motd after successful authentication? # Default is yes # If your shells print motd by default, this option may be redundant # NOTE: sshd will obey ~/.hushlogin #PrintMotd yes # Print date/time of user's last login? # Default is yes # NOTE: sshd will obey ~/.hushlogin #PrintLastLog yes # Use priviledge separation user ID # Default is yes # sshd was hardcoded at compile-time to use a specific user # account - it is "sshd" unless something else was specified UsePrivilegeSeparation yes # Require a connecting host to have DNS reverse name-resolution? # Defaults to yes # Unless you control DNS for all hosts legitimately connecting, this # option is not of much value, and probably not worth the overhead UseDNS no # Full path to daemon's PID file # Defaults to /var/run/sshd.pid # Ignored in debug mode PidFile /var/run/sshd.pid # Specify commands that may be executed by remote clients # Default is no subsystems # Format is: Subsystem # Full path *must* be specified, command-line parameters are *not* # allowed (sshd will refuse to start) # Shorthand names are case-sensitive # Maximum of 256 subsystems may be defined Subsystem sftp /path/to/openssh/libexec/sftp-server ######################## # Protocol v1 settings # ######################## # Ignored sunce SSH v1 is not enabled, but retained # here for documentary purposes # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Allow SSH v1-style public-key authentication # Default is yes # Changing to "no" is redundant if SSH v1 support is disabled # in the Protocols keyword #RSAAuthentication yes # Allow SSH v1-style host-based authentication # Default is no # Requires host key in /path/to/openssh/configuration/ssh_known_hosts #RhostsRSAAuthentication no # HostKey for protocol version 1 #HostKey /path/to/your/config/ssh_host_key #################### # Match Directives # #################### # Match attempts to match a session based on any of the # following criteria: # User Group # Host Address # If there is a match, then the subsequent options are # applied, overriding any global settings for those options # made above. Options are read until EOF or until another # Match statement is encountered (whether or not it is a # successful Match). The available Options in a Match block are: # AllowTcpForwarding Banner # ForceCommand GatewayPorts # GSSAPIAuthentication # KbdInteractiveAuthentication # KerberosAuthentication PasswordAuthentication # PermitOpen # RhostsRSAAuthentication RSAAuthentication # X11DisplayOffset X11Forwarding # X11UseLocalHost #################### # Display a special banner for "internal" clients Match Address 10.1.2.* Banner /etc/issue.internal # Allow user bob to forward TCP packets, including those from # other hosts Match User bob AllowTcpForwarding yes GatewayPorts Yes ###################################### ## End of /path/to/your/sshd_config ## ######################################