Sync this config with the fedora default

2015-02-16 01:13:30 +00:00 · 2015-02-16 01:13:30 +00:00 · 2e7420e11c
commit 2e7420e11c
parent ee510b954c
1 changed files with 63 additions and 33 deletions
--- a/roles/base/files/ssh/sshd_config.releng
+++ b/roles/base/files/ssh/sshd_config.releng
@ -1,48 +1,65 @@
-#	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
+#	$OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
+# possible, but leave them commented.  Uncommented options override the
 # default value.
 # If you want to change the port on a SELinux system, you have to tell
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 #
 #Port 22
 #Protocol 2,1
 Protocol 2
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 # The default requires explicit activation of protocol 1
 #Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
-#ServerKeyBits 768
+#ServerKeyBits 1024
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 SyslogFacility AUTHPRIV
-LogLevel VERBOSE
+#LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin without-password
 StrictModes yes
 PasswordAuthentication no
 #MaxAuthTries 6
 #MaxSessions 10
 #RSAAuthentication yes
 #PubkeyAuthentication yes
-#AuthorizedKeysFile	.ssh/authorized_keys
+
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
@ -54,11 +71,6 @@ StrictModes yes
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 PasswordAuthentication no
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 ChallengeResponseAuthentication no
@ -68,32 +80,32 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 #KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
-GSSAPIAuthentication no
+GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
-GSSAPICleanupCredentials no
+GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-# be allowed through the ChallengeResponseAuthentication mechanism. 
+# be allowed through the ChallengeResponseAuthentication and
-# Depending on your PAM configuration, this may bypass the setting of 
+# PasswordAuthentication.  Depending on your PAM configuration,
-# PasswordAuthentication, PermitEmptyPasswords, and 
+# PAM authentication via ChallengeResponseAuthentication may bypass
-# "PermitRootLogin without-password". If you just want the PAM account and 
+# the setting of "PermitRootLogin without-password".
-# session checks to run without PAM authentication, then enable this but set 
+# If you just want the PAM account and session checks to run without
-# ChallengeResponseAuthentication=no
+# PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 # WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 # problems.
 #UsePAM no
 UsePAM yes
-# Accept locale-related environment variables
+#AllowAgentForwarding yes
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 AcceptEnv LC_IDENTIFICATION LC_ALL
 #AllowTcpForwarding yes
 AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
 X11Forwarding yes
@ -103,7 +115,7 @@ X11Forwarding yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox		# Default for new installations.
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
@ -111,11 +123,29 @@ X11Forwarding yes
 #ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
-PermitTunnel no
+#PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
-#Banner /some/path
+#Banner none
 # Accept locale-related environment variables
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/openssh/sftp-server
 # Uncomment this if you want to use .local domain
 #Host *.local
 #	CheckHostIP no
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server