# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Specifies which address family should be used by sshd(8). Valid arguments # are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). AddressFamily any # Specifies the local addresses sshd(8) should listen on. The following # forms may be used: # ListenAddress host|IPv4_addr|IPv6_addr # ListenAddress host|IPv4_addr:port # ListenAddress [host|IPv6_addr]:port # If port is not specified, sshd will listen on the address and all prior # Port options specified. The default is to listen on all local addresses. # Multiple ListenAddress options are permitted. Additionally, any Port # options must precede this option for non-port qualified addresses. ListenAddress 0.0.0.0:10022 # Specifies the protocol versions sshd(8) supports. The possible values are # '1' and '2'. Multiple versions must be comma-separated. The default is # ''2,1''. Note that the order of the protocol list does not indicate # preference, because the client selects among multiple protocol versions # offered by the server. Specifying ''2,1'' is identical to ''1,2''. Protocol 2 # Specifies a file containing a private host key used by SSH. The default # is /etc/ssh/ssh_host_key for protocol version 1, and # /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol # version 2. Note that sshd(8) will refuse to use a file if it is # group/world-accessible. It is possible to have multiple host key files. # ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for # version 2 of the SSH protocol. HostKey /etc/ssh/ssh_host_ed25519_key # Specifies the ciphers allowed for protocol version 2. Multiple ciphers # must be comma-separated. The supported ciphers are ''3des-cbc'', # ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', # ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', # ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr # MACs' Specifies the available MAC (message authentication code) # algorithms. The MAC algorithm is used in protocol version 2 for data # integrity protection. Multiple algorithms must be comma-separated. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 # Specifies the available KEX (Key Exchange) algorithms. Multiple # algorithms must be comma-separated. For ineroperability with Eclipse # and WinSCP): # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # If needed, open /etc/ssh/moduli if exists, and delete lines where the # 5th column is less than 2000. # awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # wc -l "${HOME}/moduli" # make sure there is something left # mv "${HOME}/moduli" /etc/ssh/moduli # # CentOS 6 # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # CentOS 7 / Fedora >21 "only" KexAlgorithms curve25519-sha256@libssh.org # Logging # Gives the facility code that is used when logging messages from sshd(8). # The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, # LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. SyslogFacility AUTHPRIV # Gives the verbosity level that is used when logging messages from sshd(8). # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are # equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging # output. Logging with a DEBUG level violates the privacy of users and is # not recommended. # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a # clear audit track of which key was using to log in. LogLevel VERBOSE # Configures an external subsystem (e.g. file transfer daemon). Arguments # should be a subsystem name and a command (with optional arguments) to # execute upon subsystem request. Log sftp level file access # (read/write/etc.) that would not be easily logged otherwise. Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO # Authentication: # The server disconnects after this time if the user has not successfully # logged in. If the value is 0, there is no time limit. LoginGraceTime 0 # Specifies whether root can log in using ssh(1). The argument must be # ''yes'', ''without-password'', ''forced-commands-only'', or ''no''. # The default is ''yes''. If this option is set to ''without-password'', # password authentication is disabled for root. If this option is set to # ''forced-commands-only'', root login with public key authentication will # be allowed, but only if the command option has been specified (which # may be useful for taking remote backups even if root login is normally # not allowed). All other authentication methods are disabled for root. # If this option is set to ''no'', root is not allowed to log in. PermitRootLogin no # This keyword can be followed by a list of user name patterns, separated # by spaces. If specified, login is allowed only for user names that match # one of the patterns. Only user names are valid; a numerical user ID is # not recognized. By default, login is allowed for all users. If the pattern # takes the form USER@HOST then USER and HOST are separately checked, # restricting logins to particular users from particular hosts. The # allow/deny directives are processed in the following order: # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. AllowUsers django # Specifies whether sshd(8) should check file modes and ownership of the # user's files and home directory before accepting login. This is normally # desirable because novices sometimes accidentally leave their directory # or files world-writable. StrictModes yes # Specifies the maximum number of authentication attempts permitted per # connection. Once the number of failures reaches half this value, # additional failures are logged. MaxAuthTries 2 # Specifies the maximum number of open sessions permitted per network # connection. MaxSessions 10 # Specifies the file that contains the public keys that can be used for # user authentication. AuthorizedKeysFile may contain tokens of the form # %T which are substituted during connection setup. The following tokens # are defined: %% is replaced by a literal '%', %h is replaced by the # home directory of the user being authenticated, and %u is replaced by # the username of that user. After expansion, AuthorizedKeysFile is # taken to be an absolute path or one relative to the user's home directory. AuthorizedKeysFile .ssh/authorized_keys # Specifies whether public key authentication is allowed. The default is # ''yes''. Note that this option applies to protocol version 2 only. PubkeyAuthentication yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication RhostsRSAAuthentication no # Specifies whether rhosts or /etc/hosts.equiv authentication together # with successful public key client host authentication is allowed # (host-based authentication). This option is similar to # RhostsRSAAuthentication and applies to protocol version 2 only. HostbasedAuthentication no # Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts # during RhostsRSAAuthentication or HostbasedAuthentication. IgnoreUserKnownHosts no # Specifies that .rhosts and .shosts files will not be used in # RhostsRSAAuthentication or HostbasedAuthentication. # /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. IgnoreRhosts yes # Specifies whether password authentication is allowed. To disable tunneled # clear text passwords, change to no here! PasswordAuthentication yes # When password authentication is allowed, it specifies whether the server # allows login to accounts with empty password strings. The default is ''no''. PermitEmptyPasswords no # Specifies whether challenge-response authentication is allowed # (e.g. via PAM or though authentication styles supported in login.conf(5)) # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication no # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key # exchange doesn't rely on ssh keys to verify host identity. GSSAPIKeyExchange no # Specifies whether to automatically destroy the user's credentials cache # on logout. GSSAPICleanupCredentials yes # Determines whether to be strict about the identity of the GSSAPI acceptor # a client authenticates against. If ''yes'' then the client must authenticate # against the host service on the current hostname. If ''no'' then the client # may authenticate against any service key stored in the machine's default # store. This facility is provided to assist with operation on multi homed # machines. The default is ''yes''. Note that this option applies only to # protocol version 2 GSSAPI connections, and setting it to ''no'' may only # work with recent Kerberos GSSAPI libraries. GSSAPIStrictAcceptorCheck yes # Controls whether the user's GSSAPI credentials should be updated following # a successful connection rekeying. This option can be used to accepted # renewed or updated credentials from a compatible client. GSSAPIStoreCredentialsOnRekey no # Specifies whether ssh-agent(1) forwarding is permitted. The default is # ''yes''. Note that disabling agent forwarding does not improve security # unless users are also denied shell access, as they can always install # their own forwarders. AllowAgentForwarding yes # Specifies whether TCP forwarding is permitted. The default is ''yes''. # Note that disabling TCP forwarding does not improve security unless users # are also denied shell access, as they can always install their own # forwarders. AllowTcpForwarding yes # Specifies whether remote hosts are allowed to connect to ports forwarded # for the client. By default, sshd(8) binds remote port forwardings to the # loopback address. This prevents other remote hosts from connecting to # forwarded ports. GatewayPorts can be used to specify that sshd should # allow remote port forwardings to bind to non-loopback addresses, thus # allowing other hosts to connect. The argument may be ''no'' to force # remote port forwardings to be available to the local host only, ''yes'' # to force remote port forwardings to bind to the wildcard address, or # ''clientspecified'' to allow the client to select the address to which # the forwarding is bound. The default is ''no''. GatewayPorts no # Specifies whether X11 forwarding is permitted. The argument must be # ''yes'' or ''no''. The default is ''no''. # When X11 forwarding is enabled, there may be additional exposure to the # server and to client displays if the sshd(8) proxy display is configured # to listen on the wildcard address (see X11UseLocalhost below), though this # is not the default. Additionally, the authentication spoofing and # authentication data verification and substitution occur on the client side. # The security risk of using X11 forwarding is that the client's X11 display # server may be exposed to attack when the SSH client requests forwarding # (see the warnings for ForwardX11 in ssh_config(5)). A system administrator # may have a stance in which they want to protect clients that may expose # themselves to attack by unwittingly requesting X11 forwarding, which can # warrant a ''no'' setting. Note that disabling X11 forwarding does not # prevent users from forwarding X11 traffic, as users can always install # their own forwarders. X11 forwarding is automatically disabled if UseLogin # is enabled. X11Forwarding yes # Specifies the first display number available for sshd(8)'s X11 forwarding. # This prevents sshd from interfering with real X11 servers. # The default is 10. X11DisplayOffset 10 # Specifies whether sshd(8) should bind the X11 forwarding server to the # loopback address or to the wildcard address. By default, sshd binds the # forwarding server to the loopback address and sets the hostname part of # the DISPLAY environment variable to ''localhost''. This prevents remote # hosts from connecting to the proxy display. However, some older X11 clients # may not function with this configuration. X11UseLocalhost may be set to # ''no'' to specify that the forwarding server should be bound to the # wildcard address. The argument must be ''yes'' or ''no''. The default is # ''yes''. X11UseLocalhost yes # Specifies whether sshd(8) should print /etc/motd when a user logs in # interactively. (On some systems it is also printed by the shell, # /etc/profile, or equivalent.) The default is ''yes''. PrintMotd yes # Specifies whether sshd(8) should print the date and time of the last user # login when a user logs in interactively. The default is ''yes''. PrintLastLog yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux # and may cause several problems. UsePAM yes # Specifies whether sshd(8) separates privileges by creating an unprivileged # child process to deal with incoming network traffic. After successful # authentication, another process will be created that has the privilege of # the authenticated user. The goal of privilege separation is to prevent # privilege escalation by containing any corruption within the unprivileged # processes. UsePrivilegeSeparation sandbox # Sets a timeout interval in seconds after which if no data has been # received from the client, sshd(8) will send a message through the # encrypted channel to request a response from the client. The default is 0, # indicating that these messages will not be sent to the client. This option # applies to protocol version 2 only. ClientAliveInterval 900 # Sets the number of client alive messages (see below) which may be sent # without sshd(8) receiving any messages back from the client. If this # threshold is reached while client alive messages are being sent, sshd will # disconnect the client, terminating the session. It is important to note # that the use of client alive messages is very different from TCPKeepAlive # (below). The client alive messages are sent through the encrypted channel # and therefore will not be spoofable. The TCP keepalive option enabled by # TCPKeepAlive is spoofable. The client alive mechanism is valuable when the # client or server depend on knowing when a connection has become inactive. # The default value is 3. If ClientAliveInterval (see below) is set to 15, # and ClientAliveCountMax is left at the default, unresponsive SSH clients # will be disconnected after approximately 45 seconds. This option applies # to protocol version 2 only. ClientAliveCountMax 0 # Specifies whether the system should send TCP keepalive messages to the # other side. If they are sent, death of the connection or crash of one of # the machines will be properly noticed. However, this means that # connections will die if the route is down temporarily, and some people # find it annoying. On the other hand, if TCP keepalives are not sent, # sessions may hang indefinitely on the server, leaving ''ghost'' users # and consuming server resources. The default is ''yes'' (to send TCP # keepalive messages), and the server will notice if the network goes down # or the client host crashes. This avoids infinitely hanging sessions. # To disable TCP keepalive messages, the value should be set to ''no''. TCPKeepAlive yes # Specifies whether sshd(8) should look up the remote host name and check # that the resolved host name for the remote IP address maps back to the # very same IP address. UseDNS yes # Specifies the file that contains the process ID of the SSH daemon. # The default is /var/run/sshd.pid. PidFile /var/run/sshd.pid # Specifies the maximum number of concurrent unauthenticated connections # to the SSH daemon. Additional connections will be dropped until # authentication succeeds or the LoginGraceTime expires for a connection. # The default is 10. # Alternatively, random early drop can be enabled by specifying the three # colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8) # will refuse connection attempts with a probability of ''rate/100'' (30%) # if there are currently ''start'' (10) unauthenticated connections. The # probability increases linearly and all connection attempts are refused # if the number of unauthenticated connections reaches ''full'' (60). MaxStartups 10:30:100 # Specifies whether tun(4) device forwarding is allowed. The argument must # be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or # ''no''. Specifying ''yes'' permits both ''point-to-point'' and # ''ethernet''. The default is ''no''. PermitTunnel no # Specifies a path to chroot(2) to after authentication. This path, and all # its components, must be root-owned directories that are not writable by # any other user or group. After the chroot, sshd(8) changes the working # directory to the user's home directory. # The path may contain the following tokens that are expanded at runtime # once the connecting user has been authenticated: %% is replaced by a # literal '%', %h is replaced by the home directory of the user being # authenticated, and %u is replaced by the username of that user. # The ChrootDirectory must contain the necessary files and directories to # support the user's session. For an interactive session this requires at # least a shell, typically sh(1), and basic /dev nodes such as null(4), # zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. # For file transfer sessions using ''sftp'', no additional configuration # of the environment is necessary if the in-process sftp server is used, # though sessions which use logging do require /dev/log inside the chroot # directory (see sftp-server(8) for details). ChrootDirectory none # The contents of the specified file are sent to the remote user before # authentication is allowed. Banner /etc/issue.net # pecifies whether ~/.ssh/environment and environment= options in # ~/.ssh/authorized_keys are processed by sshd(8). Enabling environment # processing may enable users to bypass access restrictions in some # configurations using mechanisms such as LD_PRELOAD. PermitUserEnvironment no # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server