sshd_config.j2 (3330B)
1 2 # This is the sshd server system-wide configuration file. See 3 # sshd_config(5) for more information. 4 5 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games 6 7 # The strategy used for options in the default sshd_config shipped with 8 # OpenSSH is to specify options with their default value where 9 # possible, but leave them commented. Uncommented options override the 10 # default value. 11 12 Include /etc/ssh/sshd_config.d/*.conf 13 14 #Port 22 15 #AddressFamily any 16 #ListenAddress 0.0.0.0 17 #ListenAddress :: 18 19 #HostKey /etc/ssh/ssh_host_rsa_key 20 #HostKey /etc/ssh/ssh_host_ecdsa_key 21 HostKey /etc/ssh/ssh_host_ed25519_key 22 HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub 23 24 TrustedUserCAKeys /etc/ssh/userca.pub 25 26 # Ciphers and keying 27 #RekeyLimit default none 28 29 # Logging 30 #SyslogFacility AUTH 31 #LogLevel INFO 32 33 # Authentication: 34 35 #LoginGraceTime 2m 36 PermitRootLogin prohibit-password 37 #StrictModes yes 38 #MaxAuthTries 6 39 #MaxSessions 10 40 41 #PubkeyAuthentication yes 42 43 # Expect .ssh/authorized_keys2 to be disregarded by default in future. 44 #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 45 46 #AuthorizedPrincipalsFile none 47 48 #AuthorizedKeysCommand none 49 #AuthorizedKeysCommandUser nobody 50 51 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 52 #HostbasedAuthentication no 53 # Change to yes if you don't trust ~/.ssh/known_hosts for 54 # HostbasedAuthentication 55 #IgnoreUserKnownHosts no 56 # Don't read the user's ~/.rhosts and ~/.shosts files 57 #IgnoreRhosts yes 58 59 # To disable tunneled clear text passwords, change to no here! 60 PasswordAuthentication no 61 #PermitEmptyPasswords no 62 63 # Change to yes to enable challenge-response passwords (beware issues with 64 # some PAM modules and threads) 65 KbdInteractiveAuthentication no 66 67 # Kerberos options 68 #KerberosAuthentication no 69 #KerberosOrLocalPasswd yes 70 #KerberosTicketCleanup yes 71 #KerberosGetAFSToken no 72 73 # GSSAPI options 74 #GSSAPIAuthentication no 75 #GSSAPICleanupCredentials yes 76 #GSSAPIStrictAcceptorCheck yes 77 #GSSAPIKeyExchange no 78 79 # Set this to 'yes' to enable PAM authentication, account processing, 80 # and session processing. If this is enabled, PAM authentication will 81 # be allowed through the KbdInteractiveAuthentication and 82 # PasswordAuthentication. Depending on your PAM configuration, 83 # PAM authentication via KbdInteractiveAuthentication may bypass 84 # the setting of "PermitRootLogin prohibit-password". 85 # If you just want the PAM account and session checks to run without 86 # PAM authentication, then enable this but set PasswordAuthentication 87 # and KbdInteractiveAuthentication to 'no'. 88 UsePAM yes 89 90 #AllowAgentForwarding yes 91 #AllowTcpForwarding yes 92 #GatewayPorts no 93 X11Forwarding no 94 #X11DisplayOffset 10 95 #X11UseLocalhost yes 96 #PermitTTY yes 97 PrintMotd no 98 PrintLastLog no 99 #TCPKeepAlive yes 100 #PermitUserEnvironment no 101 #Compression delayed 102 #ClientAliveInterval 0 103 #ClientAliveCountMax 3 104 #UseDNS no 105 #PidFile /run/sshd.pid 106 #MaxStartups 10:30:100 107 #PermitTunnel no 108 #ChrootDirectory none 109 #VersionAddendum none 110 111 # no default banner path 112 #Banner none 113 114 # Allow client to pass locale environment variables 115 AcceptEnv LANG LC_* 116 117 # override default of no subsystems 118 Subsystem sftp /usr/lib/openssh/sftp-server 119 120 # Example of overriding settings on a per-user basis 121 #Match User anoncvs 122 # X11Forwarding no 123 # AllowTcpForwarding no 124 # PermitTTY no 125 # ForceCommand cvs server 126 AllowUsers dwarf