From 2e7420e11c109f55c26ca34fd9a9362291835b25 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 16 Feb 2015 01:13:30 +0000 Subject: [PATCH] Sync this config with the fedora default --- roles/base/files/ssh/sshd_config.releng | 96 ++++++++++++++++--------- 1 file changed, 63 insertions(+), 33 deletions(-) diff --git a/roles/base/files/ssh/sshd_config.releng b/roles/base/files/ssh/sshd_config.releng index 996c262579..080de0d1ca 100644 --- a/roles/base/files/ssh/sshd_config.releng +++ b/roles/base/files/ssh/sshd_config.releng @@ -1,48 +1,65 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# #Port 22 -#Protocol 2,1 -Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: +# The default requires explicit activation of protocol 1 +#Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 768 +#ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV -LogLevel VERBOSE +#LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin without-password StrictModes yes +PasswordAuthentication no + #MaxAuthTries 6 +#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no @@ -54,11 +71,6 @@ StrictModes yes # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no -PasswordAuthentication no - # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no @@ -68,32 +80,32 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no +#KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no -GSSAPIAuthentication no +GSSAPIAuthentication yes #GSSAPICleanupCredentials yes -GSSAPICleanupCredentials no +GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. #UsePAM no UsePAM yes -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL +#AllowAgentForwarding yes #AllowTcpForwarding yes -AllowTcpForwarding yes - - #GatewayPorts no #X11Forwarding no X11Forwarding yes @@ -103,7 +115,7 @@ X11Forwarding yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -111,11 +123,29 @@ X11Forwarding yes #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 -PermitTunnel no +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none # no default banner path -#Banner /some/path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server + +# Uncomment this if you want to use .local domain +#Host *.local +# CheckHostIP no + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server