#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

# Specifies which address family should be used by sshd(8). Valid arguments
# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). 
AddressFamily any

# Specifies the local addresses sshd(8) should listen on. The following 
# forms may be used:
#                   ListenAddress host|IPv4_addr|IPv6_addr
#                   ListenAddress host|IPv4_addr:port
#                   ListenAddress [host|IPv6_addr]:port
# If port is not specified, sshd will listen on the address and all prior 
# Port options specified. The default is to listen on all local addresses. 
# Multiple ListenAddress options are permitted. Additionally, any Port 
# options must precede this option for non-port qualified addresses. 
ListenAddress 0.0.0.0:10022

# Specifies the protocol versions sshd(8) supports. The possible values are 
# '1' and '2'. Multiple versions must be comma-separated. The default is 
# ''2,1''. Note that the order of the protocol list does not indicate 
# preference, because the client selects among multiple protocol versions 
# offered by the server. Specifying ''2,1'' is identical to ''1,2''.  
Protocol 2

# Specifies a file containing a private host key used by SSH. The default 
# is /etc/ssh/ssh_host_key for protocol version 1, and 
# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol 
# version 2. Note that sshd(8) will refuse to use a file if it is 
# group/world-accessible. It is possible to have multiple host key files.
# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for
# version 2 of the SSH protocol. 
HostKey /etc/ssh/ssh_host_ed25519_key

# Specifies the ciphers allowed for protocol version 2. Multiple ciphers 
# must be comma-separated. The supported ciphers are ''3des-cbc'', 
# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', 
# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', 
# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''.
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

# MACs' Specifies the available MAC (message authentication code) 
# algorithms. The MAC algorithm is used in protocol version 2 for data 
# integrity protection. Multiple algorithms must be comma-separated.
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

# Specifies the available KEX (Key Exchange) algorithms. Multiple 
# algorithms must be comma-separated. For ineroperability with Eclipse 
# and WinSCP): 
# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# If needed, open /etc/ssh/moduli if exists, and delete lines where the 
# 5th column is less than 2000.
#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
#   wc -l "${HOME}/moduli"
# make sure there is something left
#   mv "${HOME}/moduli" /etc/ssh/moduli
#
# CentOS 6
# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# CentOS 7 / Fedora >21 "only"
KexAlgorithms curve25519-sha256@libssh.org

# Logging
# Gives the facility code that is used when logging messages from sshd(8). 
# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, 
# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 
SyslogFacility AUTHPRIV

# Gives the verbosity level that is used when logging messages from sshd(8).
# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, 
# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are 
# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging 
# output. Logging with a DEBUG level violates the privacy of users and is 
# not recommended.
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a 
# clear audit track of which key was using to log in.
LogLevel VERBOSE

# Configures an external subsystem (e.g. file transfer daemon). Arguments 
# should be a subsystem name and a command (with optional arguments) to 
# execute upon subsystem request. Log sftp level file access 
# (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Authentication:
# The server disconnects after this time if the user has not successfully 
# logged in. If the value is 0, there is no time limit.
LoginGraceTime 0

# Specifies whether root can log in using ssh(1). The argument must be 
# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''. 
# The default is ''yes''. If this option is set to ''without-password'', 
# password authentication is disabled for root. If this option is set to
# ''forced-commands-only'', root login with public key authentication will 
# be allowed, but only if the command option has been specified (which 
# may be useful for taking remote backups even if root login is normally 
# not allowed). All other authentication methods are disabled for root.
# If this option is set to ''no'', root is not allowed to log in.  
PermitRootLogin no

# This keyword can be followed by a list of user name patterns, separated 
# by spaces. If specified, login is allowed only for user names that match 
# one of the patterns. Only user names are valid; a numerical user ID is 
# not recognized. By default, login is allowed for all users. If the pattern
# takes the form USER@HOST then USER and HOST are separately checked, 
# restricting logins to particular users from particular hosts. The 
# allow/deny directives are processed in the following order: 
# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. 
AllowUsers django

# Specifies whether sshd(8) should check file modes and ownership of the 
# user's files and home directory before accepting login. This is normally 
# desirable because novices sometimes accidentally leave their directory 
# or files world-writable.
StrictModes yes

# Specifies the maximum number of authentication attempts permitted per 
# connection. Once the number of failures reaches half this value, 
# additional failures are logged.
MaxAuthTries 2

# Specifies the maximum number of open sessions permitted per network 
# connection.
MaxSessions 10

# Specifies the file that contains the public keys that can be used for 
# user authentication. AuthorizedKeysFile may contain tokens of the form
# %T which are substituted during connection setup. The following tokens
# are defined: %% is replaced by a literal '%', %h is replaced by the 
# home directory of the user being authenticated, and %u is replaced by
# the username of that user. After expansion, AuthorizedKeysFile is
# taken to be an absolute path or one relative to the user's home directory.
AuthorizedKeysFile      .ssh/authorized_keys

# Specifies whether public key authentication is allowed. The default is 
# ''yes''. Note that this option applies to protocol version 2 only.
PubkeyAuthentication yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
RhostsRSAAuthentication no
# Specifies whether rhosts or /etc/hosts.equiv authentication together 
# with successful public key client host authentication is allowed 
# (host-based authentication). This option is similar to 
# RhostsRSAAuthentication and applies to protocol version 2 only.
HostbasedAuthentication no

# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts 
# during RhostsRSAAuthentication or HostbasedAuthentication.
IgnoreUserKnownHosts no

# Specifies that .rhosts and .shosts files will not be used in 
# RhostsRSAAuthentication or HostbasedAuthentication.
# /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
IgnoreRhosts yes

# Specifies whether password authentication is allowed. To disable tunneled 
# clear text passwords, change to no here!
PasswordAuthentication yes

# When password authentication is allowed, it specifies whether the server 
# allows login to accounts with empty password strings. The default is ''no''.  
PermitEmptyPasswords no

# Specifies whether challenge-response authentication is allowed 
# (e.g. via PAM or though authentication styles supported in login.conf(5))
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Specifies whether user authentication based on GSSAPI is allowed.
GSSAPIAuthentication no

# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key 
# exchange doesn't rely on ssh keys to verify host identity. 
GSSAPIKeyExchange no

# Specifies whether to automatically destroy the user's credentials cache 
# on logout. 
GSSAPICleanupCredentials yes

# Determines whether to be strict about the identity of the GSSAPI acceptor 
# a client authenticates against. If ''yes'' then the client must authenticate
# against the host service on the current hostname. If ''no'' then the client 
# may authenticate against any service key stored in the machine's default
# store. This facility is provided to assist with operation on multi homed 
# machines. The default is ''yes''. Note that this option applies only to 
# protocol version 2 GSSAPI connections, and setting it to ''no'' may only 
# work with recent Kerberos GSSAPI libraries. 
GSSAPIStrictAcceptorCheck yes

# Controls whether the user's GSSAPI credentials should be updated following 
# a successful connection rekeying. This option can be used to accepted 
# renewed or updated credentials from a compatible client.
GSSAPIStoreCredentialsOnRekey no

# Specifies whether ssh-agent(1) forwarding is permitted. The default is 
# ''yes''. Note that disabling agent forwarding does not improve security 
# unless users are also denied shell access, as they can always install 
# their own forwarders.
AllowAgentForwarding yes

# Specifies whether TCP forwarding is permitted. The default is ''yes''. 
# Note that disabling TCP forwarding does not improve security unless users
# are also denied shell access, as they can always install their own 
# forwarders. 
AllowTcpForwarding yes

# Specifies whether remote hosts are allowed to connect to ports forwarded
# for the client. By default, sshd(8) binds remote port forwardings to the
# loopback address. This prevents other remote hosts from connecting to 
# forwarded ports. GatewayPorts can be used to specify that sshd should 
# allow remote port forwardings to bind to non-loopback addresses, thus 
# allowing other hosts to connect. The argument may be ''no'' to force 
# remote port forwardings to be available to the local host only, ''yes''
# to force remote port forwardings to bind to the wildcard address, or 
# ''clientspecified'' to allow the client to select the address to which 
# the forwarding is bound. The default is ''no''. 
GatewayPorts no

# Specifies whether X11 forwarding is permitted. The argument must be 
# ''yes'' or ''no''. The default is ''no''.
# When X11 forwarding is enabled, there may be additional exposure to the
# server and to client displays if the sshd(8) proxy display is configured
# to listen on the wildcard address (see X11UseLocalhost below), though this
# is not the default. Additionally, the authentication spoofing and 
# authentication data verification and substitution occur on the client side.
# The security risk of using X11 forwarding is that the client's X11 display
# server may be exposed to attack when the SSH client requests forwarding 
# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator
# may have a stance in which they want to protect clients that may expose
# themselves to attack by unwittingly requesting X11 forwarding, which can 
# warrant a ''no'' setting. Note that disabling X11 forwarding does not 
# prevent users from forwarding X11 traffic, as users can always install 
# their own forwarders. X11 forwarding is automatically disabled if UseLogin
# is enabled. 
X11Forwarding yes

# Specifies the first display number available for sshd(8)'s X11 forwarding.
# This prevents sshd from interfering with real X11 servers. 
# The default is 10. 
X11DisplayOffset 10

# Specifies whether sshd(8) should bind the X11 forwarding server to the 
# loopback address or to the wildcard address. By default, sshd binds the
# forwarding server to the loopback address and sets the hostname part of
# the DISPLAY environment variable to ''localhost''. This prevents remote
# hosts from connecting to the proxy display. However, some older X11 clients
# may not function with this configuration. X11UseLocalhost may be set to 
# ''no'' to specify that the forwarding server should be bound to the 
# wildcard address. The argument must be ''yes'' or ''no''. The default is 
# ''yes''. 
X11UseLocalhost yes

# Specifies whether sshd(8) should print /etc/motd when a user logs in 
# interactively. (On some systems it is also printed by the shell, 
# /etc/profile, or equivalent.) The default is ''yes''.
PrintMotd yes

# Specifies whether sshd(8) should print the date and time of the last user
# login when a user logs in interactively. The default is ''yes''. 
PrintLastLog yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux 
# and may cause several problems.
UsePAM yes

# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic. After successful 
# authentication, another process will be created that has the privilege of
# the authenticated user. The goal of privilege separation is to prevent 
# privilege escalation by containing any corruption within the unprivileged 
# processes. 
UsePrivilegeSeparation sandbox

# Sets a timeout interval in seconds after which if no data has been
# received from the client, sshd(8) will send a message through the 
# encrypted channel to request a response from the client. The default is 0,
# indicating that these messages will not be sent to the client. This option
# applies to protocol version 2 only. 
ClientAliveInterval 900


# Sets the number of client alive messages (see below) which may be sent 
# without sshd(8) receiving any messages back from the client. If this 
# threshold is reached while client alive messages are being sent, sshd will
# disconnect the client, terminating the session. It is important to note 
# that the use of client alive messages is very different from TCPKeepAlive
# (below). The client alive messages are sent through the encrypted channel
# and therefore will not be spoofable. The TCP keepalive option enabled by 
# TCPKeepAlive is spoofable. The client alive mechanism is valuable when the
# client or server depend on knowing when a connection has become inactive.
# The default value is 3. If ClientAliveInterval (see below) is set to 15,
# and ClientAliveCountMax is left at the default, unresponsive SSH clients 
# will be disconnected after approximately 45 seconds. This option applies 
# to protocol version 2 only. 
ClientAliveCountMax 0

# Specifies whether the system should send TCP keepalive messages to the 
# other side. If they are sent, death of the connection or crash of one of
# the machines will be properly noticed. However, this means that 
# connections will die if the route is down temporarily, and some people 
# find it annoying. On the other hand, if TCP keepalives are not sent, 
# sessions may hang indefinitely on the server, leaving ''ghost'' users 
# and consuming server resources. The default is ''yes'' (to send TCP 
# keepalive messages), and the server will notice if the network goes down
# or the client host crashes. This avoids infinitely hanging sessions.
# To disable TCP keepalive messages, the value should be set to ''no''. 
TCPKeepAlive yes

# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the 
# very same IP address. 
UseDNS yes

# Specifies the file that contains the process ID of the SSH daemon. 
# The default is /var/run/sshd.pid. 
PidFile /var/run/sshd.pid

# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. Additional connections will be dropped until 
# authentication succeeds or the LoginGraceTime expires for a connection.
# The default is 10. 
# Alternatively, random early drop can be enabled by specifying the three
# colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8) 
# will refuse connection attempts with a probability of ''rate/100'' (30%)
# if there are currently ''start'' (10) unauthenticated connections. The 
# probability increases linearly and all connection attempts are refused 
# if the number of unauthenticated connections reaches ''full'' (60). 
MaxStartups 10:30:100

# Specifies whether tun(4) device forwarding is allowed. The argument must 
# be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or 
# ''no''. Specifying ''yes'' permits both ''point-to-point'' and 
# ''ethernet''. The default is ''no''.
PermitTunnel no

# Specifies a path to chroot(2) to after authentication. This path, and all
# its components, must be root-owned directories that are not writable by 
# any other user or group. After the chroot, sshd(8) changes the working 
# directory to the user's home directory.
# The path may contain the following tokens that are expanded at runtime 
# once the connecting user has been authenticated: %% is replaced by a 
# literal '%', %h is replaced by the home directory of the user being 
# authenticated, and %u is replaced by the username of that user.
# The ChrootDirectory must contain the necessary files and directories to 
# support the user's session. For an interactive session this requires at
# least a shell, typically sh(1), and basic /dev nodes such as null(4), 
# zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.
# For file transfer sessions using ''sftp'', no additional configuration 
# of the environment is necessary if the in-process sftp server is used, 
# though sessions which use logging do require /dev/log inside the chroot
# directory (see sftp-server(8) for details).
ChrootDirectory none

# The contents of the specified file are sent to the remote user before 
# authentication is allowed. 
Banner /etc/issue.net

# pecifies whether ~/.ssh/environment and environment= options in 
# ~/.ssh/authorized_keys are processed by sshd(8). Enabling environment 
# processing may enable users to bypass access restrictions in some 
# configurations using mechanisms such as LD_PRELOAD.
PermitUserEnvironment no

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server